![]() This change in default behavior can lead to security vulnerabilities in cases where modules or other code relies on the previous behavior as a security control. ![]() ![]() $file->filesize = $_FILES Ĭonversely, Drupal 8’s file_save_upload function does not call trim and allows filenames with leading and trailing dots. $file->filemime = file_get_mimetype($file->filename) $file->filename = trim(drupal_basename($_FILES), '.') The code snippet below from Drupal 7.6.7 utilizes the trim function to remove leading and trailing dots from the filename input.ĭrupal-7.67/includes/file.inc: $file = new stdClass() This is due to a change in the file_save_upload function between Drupal 7 and Drupal 8. Under certain configurations, this issue can be exploited by non-administrative users as well. htaccess file that can modify the server’s executable file extensions to achieve remote code execution. Modules or other code relying on the Drupal 7 behavior as a security control can become vulnerable when used with Drupal 8.įor example, Drupal 8 with a file upload module such as IMCE running under the default configuration with an Apache web server, allows authenticated administrative users to upload a. SA-CORE-2019-010: Drupal 8 File Upload Vulnerabilityĭrupal 8 no longer trims the leading dot (“.”) from the filename on upload as Drupal 7 did. This issue was discovered by Rohit Kapur.Īon would like to thank the Drupal security team for working with us as part of our coordinated disclosure process.Ġ8/15/19 – Initial disclosure to – Issue confirmed and opened on Drupal’s bug trackerġ2/18/19 – Aon/Drupal coordinated disclosure A change in default behavior introduced in Drupal 8’s file_save_upload function can potentially lead to security vulnerabilities in modules or other callers of this function. Aon’s Cyber Solutions recently discovered a security vulnerability in all versions of Drupal 8 below 8.7.11 / 8.8.1.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |