Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-27418

The package component allows non image files renamed with image extensions

    Details

      Description

      This issue was discovering while testing another issue, under the 5.4.11 certification.

      The tc-3228 test case, has the following step

      5. Now try to upload a file that is an actual image, but which is renamed to an unavailable extension, such as a jpg file named "my_disguised_image.php".

      I tried a variation of this step and renamed a php file to have jpg as extension.

      eZP accepts it.

      Steps to reproduce
      • Create an invalid image

         ls / > invalidImage.jpg

      • Create a style package
      • When the package manager asks to select an image, upload the {{ invalidImage.jpg}} file.
      • Confirms it will accept that file as an image.

        Activity

        Eduardo Fernandes (Inactive) created issue -
        Eduardo Fernandes (Inactive) made changes -
        Field Original Value New Value
        Status Open [ 1 ] Confirmed [ 10037 ]
        Eduardo Fernandes (Inactive) made changes -
        Link This issue relates to EZP-26659 [ EZP-26659 ]
        Gunnstein Lye made changes -
        Remaining Estimate 0 minutes [ 0 ]
        Time Spent 15 minutes [ 900 ]
        Worklog Id 64475 [ 64475 ]
        Gunnstein Lye logged work - 29/May/17 6:45 PM
        • Time Spent:
          15 minutes
           

          .

        Gunnstein Lye made changes -
        Assignee Gunnstein Lye [ gunnstein.lye@ez.no ]
        Gunnstein Lye made changes -
        Status Confirmed [ 10037 ] Backlog [ 10000 ]
        Gunnstein Lye made changes -
        Status Backlog [ 10000 ] Development [ 3 ]
        Gunnstein Lye made changes -
        Status Development [ 3 ] Development Review [ 10006 ]
        Gunnstein Lye made changes -
        Status Development Review [ 10006 ] Documentation Review done [ 10011 ]
        Assignee Gunnstein Lye [ gunnstein.lye@ez.no ]
        Rui Silva (Inactive) made changes -
        Status Documentation Review done [ 10011 ] QA [ 10008 ]
        Gunnstein Lye logged work - 08/Sep/17 11:00 AM
        • Time Spent:
          30 minutes
           

          .

        Gunnstein Lye made changes -
        Summary The package component is vulnerable to non image files renamed with image extensions The package component allows non image files renamed with image extensions
        Gunnstein Lye made changes -
        Description This issue was discovering while testing the EZP-26659 security issue, under the 5.4.11 certification.

        The {{tc-3228}} test case, has the following step
        {quote} 5. Now try to upload a file that is an actual image, but which is renamed to an unavailable extension, such as a jpg file named "my_disguised_image.php".{quote}

        I tried a variation of this step and renamed a php file to have {{jpg}} as extension.

        eZP accepts it.

        h6. Steps to reproduce

        - Create an invalid image
        {code} ls / > invalidImage.jpg{code}
        - Create a style package
        - When the package manager asks to select an image, upload the {{ invalidImage.jpg}} file.
        - Confirms it will accept that file as an image.
        This issue was discovering while testing another issue, under the 5.4.11 certification.

        The {{tc-3228}} test case, has the following step
        {quote} 5. Now try to upload a file that is an actual image, but which is renamed to an unavailable extension, such as a jpg file named "my_disguised_image.php".{quote}

        I tried a variation of this step and renamed a php file to have {{jpg}} as extension.

        eZP accepts it.

        h6. Steps to reproduce

        - Create an invalid image
        {code} ls / > invalidImage.jpg{code}
        - Create a style package
        - When the package manager asks to select an image, upload the {{ invalidImage.jpg}} file.
        - Confirms it will accept that file as an image.
        Gunnstein Lye made changes -
        Original Estimate 0 minutes [ 0 ]
        Security Security [ 10101 ]
        Hide
        Gunnstein Lye added a comment - - edited

        Description confirmed, though not a security vulnerability, and low priority. Checking whether a jpg file is a valid image can give false positives, and a non-image is easily detected by the user: The image won't be shown.

        Show
        Gunnstein Lye added a comment - - edited Description confirmed, though not a security vulnerability, and low priority. Checking whether a jpg file is a valid image can give false positives, and a non-image is easily detected by the user: The image won't be shown.
        Gunnstein Lye made changes -
        Priority Medium [ 4 ] Low [ 5 ]
        Gunnstein Lye made changes -
        Time Spent 15 minutes [ 900 ] 45 minutes [ 2700 ]
        Worklog Id 65549 [ 65549 ]
        Rui Silva (Inactive) made changes -
        Status QA [ 10008 ] InputQ [ 10001 ]
        Assignee Rui Silva [ rui.silva@ez.no ]
        Alex Schuster made changes -
        Workflow EZ* Development Workflow [ 103979 ] EZEE Development Workflow [ 108174 ]
        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open Confirmed Confirmed
        8s 1 eduardo.fernandes@ez.no 26/May/17 5:36 PM
        Confirmed Confirmed Backlog Backlog
        103d 20h 40m 1 Gunnstein Lye 07/Sep/17 2:16 PM
        Backlog Backlog Development Development
        3s 1 Gunnstein Lye 07/Sep/17 2:16 PM
        Development Development Development Review Development Review
        8s 1 Gunnstein Lye 07/Sep/17 2:16 PM
        Development Review Development Review Documentation Review done Documentation Review done
        4m 46s 1 Gunnstein Lye 07/Sep/17 2:21 PM
        Documentation Review done Documentation Review done QA QA
        19h 1m 1 rui.silva@ez.no 08/Sep/17 9:23 AM
        QA QA InputQ InputQ
        2d 23h 34m 1 rui.silva@ez.no 11/Sep/17 8:57 AM

          People

          • Assignee:
            Unassigned
            Reporter:
            Eduardo Fernandes (Inactive)
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:

              Time Tracking

              Estimated:
              Original Estimate - 0 minutes
              0m
              Remaining:
              Remaining Estimate - 0 minutes
              0m
              Logged:
              Time Spent - 45 minutes
              45m