This was noticed by @effulgentsia.

When validating file extensions in plupload_element_validate(), we should check the list of allowed file extensions that were passed in via the form element and remove script extensions from the list before using it (unless the 'allow_insecure_uploads' variable is set to TRUE on the site).

It's not really a security issue (because if you've specifically told Drupal that you want to allow people to upload e.g. ".php" files then you deserve what you get), but traditionally, e.g. in file_save_upload(), Drupal will still prevent you from uploading those unless the 'allow_insecure_uploads' variable is TRUE. So, Plupload should do that too.

Comments

David_Rothstein’s picture

Priority: Normal » Major

Actually, upping the priority a bit. Currently those extensions are hardcoded (no settings page), but if someone allows them to be configured via the UI and then someone stumbles across the form on your site and types "php" into the list... Drupal should still protect you from that.

slashrsm’s picture

Which extension, in addition to .php, should be includded in this?

slashrsm’s picture

Status: Active » Needs review
StatusFileSize
new1.15 KB

Something like this?

David_Rothstein’s picture

Didn't review it carefully, but yeah, something like that is what I had in mind.

Just based on the surrounding code, I'm guessing the drupal_set_message() should be using $value rather than $file->filename, though?

slashrsm’s picture

Ups... true. Attaching corrected patch.

slashrsm’s picture

Status: Needs review » Fixed

I commited this: http://drupalcode.org/project/plupload.git/commit/c966fde

It will probably take some time until next release, so people can test this in -dev.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

  • Commit c966fde on 7.x-1.x, 7.x-2.x, 8.x-1.x by slashrsm:
    Issue #1111036 by slashrsm:Blacklist script extensions if '...
Anonymous’s picture

Issue summary: View changes
StatusFileSize
new883 bytes

The solution consisting in adding .txt extension to any file unauthorized during an upload is not correct.
A hacker can easily remove the .txt extension and set the filemime at "text/php" and so, execute the script.
The best solution is disallow the "allow_insecure_uploads" option.

Here is a new patch so we can avoid this kind of situation