Defect #31968
open
MIME Content Type is not properly handled while attaching the files
0%
Description
Recently upgraded to 4.0.4. While doing the Information security testing, Team raised a vulnerability
"The application does not validate the content type of file being uploaded. This would enable an adversary to upload a malicious file onto the server."
If I change the extension of a file from .com to .pdf, Redmine allows file upload in issues as attachment and stores contenttype as "*application/pdf*" in table.
Due to this issue we are unable to roll out new version.
Urgent help required.
Thanks
Files
Updated by Go MAEDA about 5 years ago
- Category changed from Files to Attachments
Updated by Go MAEDA about 5 years ago
What do you think about this workaround? It prevents web browsers from opening crafted PDF files inline.
diff --git a/app/models/attachment.rb b/app/models/attachment.rb
index a334024b4..3ec3e0e69 100644
--- a/app/models/attachment.rb
+++ b/app/models/attachment.rb
@@ -249,7 +249,7 @@ class Attachment < ActiveRecord::Base
end
def is_pdf?
- Redmine::MimeType.of(filename) == "application/pdf"
+ Redmine::MimeType.of(filename) == "application/pdf" && MimeMagic.by_magic(File.open(diskfile)).type == 'application/pdf'
end
def is_video?
Updated by Amit Mehendale about 5 years ago
Thanks for prompt help.
Made necessary Changes. Still file is getting uploaded in the system.
We need to block the upload itself if both types are not matching.
Updated by Amit Mehendale about 5 years ago
- File attachment.rb attachment.rb added
- Status changed from New to Resolved
added a new code in attachment.rb, en.yml(for custom error message).
Attaching new file for further reference.
Thanks for the help