View Issue Details

IDProjectCategoryView StatusLast Update
0026668mantisbtbugtrackerpublic2020-02-03 20:41
Reporterobmsch Assigned To 
PrioritynormalSeverityminorReproducibilityN/A
Status newResolutionopen 
Product Version2.23.0 
Summary0026668: file attachment oddity
Description

The simple truth is that the config options "$g_allowed_files" and "$g_disallowed_files" operate
on extensions, whereas file uploads (drop, rest) use the content mime type.
So for example with '$g_disallowed_files = "pdf";' any upload of ".pdf" errors out, but ".pdf.fake" succeeds
and happily displays the fake pdf(!) on demand later on.
-> Check paths for arbitrary code executions/injections.

TagsNo tags attached.

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2020-02-03 20:41 obmsch New Issue