This was noticed by @effulgentsia.
When validating file extensions in plupload_element_validate(), we should check the list of allowed file extensions that were passed in via the form element and remove script extensions from the list before using it (unless the 'allow_insecure_uploads' variable is set to TRUE on the site).
It's not really a security issue (because if you've specifically told Drupal that you want to allow people to upload e.g. ".php" files then you deserve what you get), but traditionally, e.g. in file_save_upload(), Drupal will still prevent you from uploading those unless the 'allow_insecure_uploads' variable is TRUE. So, Plupload should do that too.
Comments
Comment #1
David_Rothstein commentedActually, upping the priority a bit. Currently those extensions are hardcoded (no settings page), but if someone allows them to be configured via the UI and then someone stumbles across the form on your site and types "php" into the list... Drupal should still protect you from that.
Comment #2
slashrsm commentedWhich extension, in addition to .php, should be includded in this?
Comment #3
slashrsm commentedSomething like this?
Comment #4
David_Rothstein commentedDidn't review it carefully, but yeah, something like that is what I had in mind.
Just based on the surrounding code, I'm guessing the drupal_set_message() should be using $value rather than $file->filename, though?
Comment #5
slashrsm commentedUps... true. Attaching corrected patch.
Comment #6
slashrsm commentedI commited this: http://drupalcode.org/project/plupload.git/commit/c966fde
It will probably take some time until next release, so people can test this in -dev.
Comment #9
Anonymous (not verified) commentedThe solution consisting in adding .txt extension to any file unauthorized during an upload is not correct.
A hacker can easily remove the .txt extension and set the filemime at "text/php" and so, execute the script.
The best solution is disallow the "allow_insecure_uploads" option.
Here is a new patch so we can avoid this kind of situation