Defect #34367

Allowed filename extensions of attachments can be circumvented

Added by Holger Just over 1 year ago. Updated 9 days ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Go MAEDA% Done:

0%

Category:Attachments
Target version:4.0.9
Resolution:Fixed Affected version:

Description

In #20008, Redmine introduced the ability to restrict the allowed extensions of attachment filenames.

This check is not exhaustive though, meaning it is easily possible to subvert the restriction. There are two ways how a user can still use any arbitrary filename despite restrictions in place:

  • As reported by Bartu Ogur via email to , it is also possible to update the filename of an uploaded attachment when it is attached to an object. The filename of the original file is checked here only during attachments#upload when the attachment is initially created. However, we do allow to overwrite the filename (and content type) of an attachment when it is attached to an object in redmine:source:trunk/lib/plugins/acts_as_attachable/lib/acts_as_attachable.rb#L105.
  • Furthermore, after an attachment was initially added with an allowed extension and was successfully attached to an object, the filename can be edited freely to set any filename, including with a forbidden extension.

For administrators trying to restrict the types of files which can be uploaded, these limitations are not obvious, making the usage of this feature potentially dangerous (also with Redmine relying on the extension to determine the content type in a lot of areas).

To fix the reported issue and to enforce the filename everywhere on change, we could use the attached patch against current trunk. With this patch, each change of the filename will be validated against the list of allowed attachments. This will remove the ability to set a currently forbidden extension to any file, regardless on when it was created.

0001-Validate-attachment-filenames-on-every-change.patch Magnifier (3.04 KB) Holger Just, 2020-12-02 15:09

Associated revisions

Revision 20946
Added by Go MAEDA about 1 year ago

Validate attachment filenames on every change (#34367).

Patch by Holger Just.

Revision 20947
Added by Go MAEDA about 1 year ago

Merged r20946 from trunk to 4.2-stable (#34367).

Revision 20948
Added by Go MAEDA about 1 year ago

Merged r20946 from trunk to 4.1-stable (#34367).

Revision 20952
Added by Go MAEDA about 1 year ago

Merged r20946 from trunk to 4.0-stable (#34367).

History

#2 Updated by Holger Just about 1 year ago

bump.

#3 Updated by Go MAEDA about 1 year ago

  • Status changed from New to Confirmed
  • Target version set to 4.1.3

Confirmed the issue. Setting the target version to 4.1.3.

#4 Updated by Go MAEDA about 1 year ago

  • Status changed from Confirmed to Closed
  • Assignee set to Go MAEDA
  • Resolution set to Fixed

Committed the patch. Thank you for handling this issue.

#5 Updated by Holger Just about 1 year ago

Thank you!

#6 Updated by Marius BALTEANU about 1 year ago

  • Status changed from Closed to Reopened
  • Target version changed from 4.1.3 to 4.0.9

#7 Updated by Go MAEDA about 1 year ago

  • Status changed from Reopened to Resolved

#8 Updated by Marius BALTEANU about 1 year ago

  • Status changed from Resolved to Closed

#9 Updated by Holger Just about 1 year ago

CVE-2021-31865 has been assigned for this.

#10 Updated by Marius BALTEANU 9 days ago

  • Project changed from Security to Redmine
  • Category set to Attachments

Also available in: Atom PDF