Hi, I've an issue with mapping to file fields.
When importing emails through mailhandler, including attachments, the allowed file extensions of my file field are not respected.
This is actually a security issue for me, as all file types are now saved from email attachments, including php files, or whatever (malicious code) people want to send me.
My setup is mailhandler, with the Mailhandler IMAP stream parser, that maps the email 'attachments' to a field of type 'file'. It works great, I just need to filter out unwanted file types.
Can anyone help me with this? Is it actually Feeds, or perhaps an issue that should be solved through Mailhandler? Any help is really appreciated!
Thanks,
Roeneman
Comment | File | Size | Author |
---|---|---|---|
#20 | core-adapted-security.patch | 11.36 KB | Bevan |
#20 | SDO120198-standalone-feeds.patch | 11.36 KB | Bevan |
#17 | feeds-1848498-17.patch | 10.81 KB | twistor |
#17 | interdiff.txt | 501 bytes | twistor |
#15 | feeds-1848498-15.patch | 10.81 KB | twistor |
Comments
Comment #1
kerasai CreditAttribution: kerasai commentedHello, the file type restrictions are imposed by the core Fields module and only affect content that is manipulated through the interface (node add/edit form). Unfortunately I don't know of a drop-in solution to your problem, but to do something like this you'd probably need to invoke hook_node_presave() to analyze the node's field data and unset fields with unacceptable file types.
Comment #2
roeneman CreditAttribution: roeneman commented@kerasai, thanks, this small pointer helped.
For others, for my use case the following solution worked.
Making use of hook_feeds_presave, I constructed the following (not an expert solution I'm sure, but it works for me):
Hope this helps for someone.
Rgds, Roeneman
Comment #3
kerasai CreditAttribution: kerasai commentedGlad you got this going.
To make it simpler, I think you could pass each field value directly to file_validate_extensions and analyze it's return code to determine whether or not to unset it. Might be slightly more complicated than that, but no need to maintain the same code in 2 places.
Comment #4
roeneman CreditAttribution: roeneman commentedMoving this request to Mailhandler. In my opinion we should catch the files even before they are (temporary) saved.
So request is for a 'file exentions field' in mailhandler, with implementation of 'file_validate_extensions' function, removal of unwanted files from the import, and a (configurable) text in the mailbody (or creation of a .txt file) stating that the file has been removed.
My implementation in hook_feeds_presave for adding text to the mailbody:
I know that proposing a patch is the best way to do this, but that is (still) outside of my programming capabilities. Sorry for that. Please consider this request, as importing files with certain extensions is a safety risk!
Rgds, Roeneman
Comment #5
roeneman CreditAttribution: roeneman commented@kerasai, indeed you're right. And additionally, when going for this feed_presave implementation, we should first fetch allowed extensions from the $entity->type file-field. This just as a note for someone wanting to go this direction, I believe this is something best implemented in Mailhandler.
Comment #6
kerasai CreditAttribution: kerasai commented@roeneman good thinking.
I can't promise when, but I'll try to take a look at this. I'm not familiar with the Mailhandler module but I do have a practical use for it so I hope to pick it up shortly.
Comment #7
Dane Powell CreditAttribution: Dane Powell commentedThere is precedent for closing security issues such as this one on the Processor side, rather than the Parser / caller side: https://drupal.org/node/1808832
Comment #8
Dane Powell CreditAttribution: Dane Powell commentedAlso if this is truly a 'security issue' then it needs to go through the proper process for that, rather than being discussed publicly.
Comment #9
twistor CreditAttribution: twistor commentedWell, Feeds doesn't have a proper release, so the security process doesn't technically apply.
That said, this should be handled in Feeds file mapper.
Comment #10
twistor CreditAttribution: twistor commentedComment #11
twistor CreditAttribution: twistor commentedComment #12
twistor CreditAttribution: twistor commentedComment #14
twistor CreditAttribution: twistor commentedComment #15
twistor CreditAttribution: twistor commentedCommitted to 7.x-2.0-alpha9 branch.
Comment #17
twistor CreditAttribution: twistor commentedComment #19
twistor CreditAttribution: twistor commentedComment #20
Bevan CreditAttribution: Bevan commentedThis patch is from the security.drupal.org issue node that led to SA-CONTRIB-2015-096, which covered multiple vulnerabilities in the Services module, one of which is the same as the vulnerability identified here.
This patch solves the problem using a solution crafted initially for Drupal 7 core. See #2472895: Provide file name sanitization functions. The new core functions have simply been copied and namespaced.
This patch is now redundant because @twistor has already solved this issue using a simpler patch. I am posting it solely for the purpose of making it public, now that there is no longer a reason to keep it private.
Comment #21
Bevan CreditAttribution: Bevan commentedThis issue likely applies to the Drupal 8 version of Feeds.
It might also apply to the Drupal 6 version if it is enhanced to respect the file field's configured path.
I am not sure if it is better to create new issue nodes for the two other versions that need investigation, or leave both on this issue node.
Comment #22
twistor CreditAttribution: twistor commentedIt doesn't exist in 8.x. http://cgit.drupalcode.org/feeds/tree/src/Feeds/Target/File.php?h=8.x-3....
As to 6.x, I highly doubt anyone is going to fix the bug that alleviates the security issue. But, we can leave this here to make sure.
Comment #23
twistor CreditAttribution: twistor commented