MIME Content Type is not properly handled while attaching the files
Recently upgraded to 4.0.4. While doing the Information security testing, Team raised a vulnerability
"The application does not validate the content type of file being uploaded. This would enable an adversary to upload a malicious file onto the server."
If I change the extension of a file from .com to .pdf, Redmine allows file upload in issues as attachment and stores contenttype as "*application/pdf*" in table.
Due to this issue we are unable to roll out new version.
Urgent help required.
#2 Updated by Go MAEDA about 3 years ago
What do you think about this workaround? It prevents web browsers from opening crafted PDF files inline.
diff --git a/app/models/attachment.rb b/app/models/attachment.rb index a334024b4..3ec3e0e69 100644 --- a/app/models/attachment.rb +++ b/app/models/attachment.rb @@ -249,7 +249,7 @@ class Attachment < ActiveRecord::Base end def is_pdf? - Redmine::MimeType.of(filename) == "application/pdf" + Redmine::MimeType.of(filename) == "application/pdf" && MimeMagic.by_magic(File.open(diskfile)).type == 'application/pdf' end def is_video?