Project

General

Profile

Actions

Defect #31968

open

MIME Content Type is not properly handled while attaching the files

Added by Amit Mehendale about 5 years ago. Updated about 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Attachments
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Affected version:

Description

Recently upgraded to 4.0.4. While doing the Information security testing, Team raised a vulnerability
"The application does not validate the content type of file being uploaded. This would enable an adversary to upload a malicious file onto the server."

If I change the extension of a file from .com to .pdf, Redmine allows file upload in issues as attachment and stores contenttype as "*application/pdf*" in table.

Due to this issue we are unable to roll out new version.

Urgent help required.
Thanks


Files

WinSCP.pdf (286 KB) WinSCP.pdf This is a executable file and should not be allowed to upload Amit Mehendale, 2019-08-28 08:12
attachment.rb (16 KB) attachment.rb Amit Mehendale, 2019-08-28 14:41
Actions #1

Updated by Go MAEDA about 5 years ago

  • Category changed from Files to Attachments
Actions #2

Updated by Go MAEDA about 5 years ago

What do you think about this workaround? It prevents web browsers from opening crafted PDF files inline.

diff --git a/app/models/attachment.rb b/app/models/attachment.rb
index a334024b4..3ec3e0e69 100644
--- a/app/models/attachment.rb
+++ b/app/models/attachment.rb
@@ -249,7 +249,7 @@ class Attachment < ActiveRecord::Base
   end

   def is_pdf?
-    Redmine::MimeType.of(filename) == "application/pdf" 
+    Redmine::MimeType.of(filename) == "application/pdf" && MimeMagic.by_magic(File.open(diskfile)).type == 'application/pdf'
   end

   def is_video?
Actions #3

Updated by Amit Mehendale about 5 years ago

Thanks for prompt help.

Made necessary Changes. Still file is getting uploaded in the system.

We need to block the upload itself if both types are not matching.

Actions #4

Updated by Amit Mehendale about 5 years ago

added a new code in attachment.rb, en.yml(for custom error message).

Attaching new file for further reference.

Thanks for the help

Actions

Also available in: Atom PDF