Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-27216

Invalid image files uploaded through "files" content type or multi file upload are uploaded to var/site/storage/original/image folder

    XMLWordPrintable

Details

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: High High
    • QA tracked issues
    • 1.9.0-beta1
    • Platform > Multi-upload

    • Operating System: Debian 8
      PHP Version: 5.6.30-0+deb8u1
      Database and version: Mysql 5.5.54-0+deb8u1
      Browser (and version): Firefox 52
      Env: Prod

    Description

      I'm not sure if this applies as an issue, so please evaluate it.
      -If I try to create an "image" using an image file renamed with "php" extension. I'm unable to do so. - ok
      -If I try to create one "file1.php" using the same renamed image file, then the file is created - ok
      -If I tr to create one "file2.php" using a vali dphp file, the file i created - ok as well

      The part I don't know if might be a problem (a security one due eventual php injection...?) is that "file1.php" is saved to "web/var/site/storage/original/image" and the second one, "file2.php" is saved to "web/var/site/storage/original/text"
      So it seems that a validation is done to the file type upon the upload moment and then the location where it is stored depends on that validation.

      Attachments

        Activity

          People

            Unassigned Unassigned
            paulo.nunes-obsolete@ez.no Paulo Nunes (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: