Skip to content

IBX-6185: Added more PHP file types to default upload blocklist #3153

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 18, 2023
Merged

IBX-6185: Added more PHP file types to default upload blocklist #3153

merged 1 commit into from
Jul 18, 2023

Conversation

@glye
Copy link
Member

@glye glye commented Jul 13, 2023
edited
Loading

Question Answer
JIRA issue IBX-6185
Type improvement
Target eZ Platform version v2.5
BC breaks no

The file upload blocklist includes file types that are not allowed to be uploaded.
https://github.com/ibexa/core/blob/main/src/bundle/Core/Resources/config/default_settings.yml#L111

Some variants of PHP file types are not included by default, we should add them:
php4, php5, phps

Doc PR for the security checklist: ibexa/documentation-developer#2059

Checklist:

  • Provided PR description.
  • Tested the solution manually.
  • Provided automated test coverage.
  • Checked that target branch is set correctly (master for features, the oldest supported for bugs).
  • Ran PHP CS Fixer for new PHP code (use $ composer fix-cs).
  • Asked for a review (ping @ezsystems/engineering-team).

@glye glye mentioned this pull request Jul 13, 2023
Merged
7 tasks
@glye glye requested a review from a team July 13, 2023 14:42
@sonarqubecloud
Copy link

sonarqubecloud bot commented Jul 13, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

Steveb-p
Steveb-p approved these changes Jul 17, 2023
View reviewed changes
Copy link
Contributor

@Steveb-p Steveb-p left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A regexp would be more applicable to the case, although then again executing uploaded files in any interpreter should not be possible due to webserver settings 😄

@Steveb-p Steveb-p requested a review from a team July 17, 2023 08:09
@konradoboza konradoboza requested a review from alongosz July 17, 2023 08:10
@alongosz alongosz changed the title IBX-6185: Add more PHP file types to default upload blocklist IBX-6185: Added more PHP file types to default upload blocklist Jul 17, 2023
@glye
Copy link
Member Author

glye commented Jul 17, 2023

@Steveb-p A plain list is easier for our users, I think. And there's even a potential risk in running a regexp on user supplied data. Yes, the webserver should block execution anyway. Security is like onions, it has layers... 👹

@glye glye merged commit 6c44c70 into 7.5 Jul 18, 2023
@glye glye deleted the ibx6185-add_types_to_upload_blocklist branch July 18, 2023 11:29
@glye glye mentioned this pull request Jul 21, 2023
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Steveb-p Steveb-p Steveb-p approved these changes

@alongosz alongosz alongosz approved these changes

@konradoboza konradoboza konradoboza approved these changes

Assignees

@alongosz alongosz

Labels

Ready for review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@glye @Steveb-p @alongosz @konradoboza