Problem/Motivation
This is something that a developer would not have done. However, in our project, a test / vulnerability assessment engineer tried this out and the result surprised us, too.
On a freshly installed 7.x site, try to upload a docx or xlsx or pptx to the user picture field. And the following messages are thrown by the form validation:
The two error messages are confusing and seem to "conflict" each other:
- Only JPEG, PNG and GIF images are allowed.
- Only files with the following extensions are allowed: jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp.
The first message is generated by file_validate_is_image()
, which is invoked through file_save_upload()
in user_validate_picture()
(modules/user/user.module:687
).
The second message is generated by file_save_upload()
and the default allowed file extensions (jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp) are used because there's no $validators['file_validate_extensions']
being passed to the function.
Also refer to includes/file.inc:1507
.
So when file with extension outside this default extensions is uploaded, e.g. pptx, docx, xlsx, we get the two "conflicting" form error message above.
Proposed resolution
file_validate_is_image()
has been called to validate that the uploaded file is an image file. So I propose that we do not limit the extension anymore by populating $validators['file_validate_extensions']
with empty array in user_validate_picture()
where the array is then passed to file_save_upload()
.
Remaining tasks
Submit patch below.
User interface changes
None.
API changes
None.
Data model changes
None.
Comments
Comment #2
loziju CreditAttribution: loziju at Pixel Onion Pte Ltd commentedComment #3
saravanaprasanth CreditAttribution: saravanaprasanth at DrupalPartners for Innoppl Technologies Pvt. Ltd commentedComment #4
saravanaprasanth CreditAttribution: saravanaprasanth at DrupalPartners for Innoppl Technologies Pvt. Ltd commentedHi Loziju,
I have tested the above patch in the Drupal 7 (Both dev and stable) version. The patch works as expected.
Now the irrelevant message (Only files with the following extensions are allowed: jpg jpeg gif png txt doc xls pdf ppt pps odt ods odp) is replaced with (The specified file 160094-excavator-template-16x9.pptx could not be uploaded. Only JPEG, PNG and GIF images are allowed).
Comment #5
saravanaprasanth CreditAttribution: saravanaprasanth at DrupalPartners for Innoppl Technologies Pvt. Ltd commentedComment #6
saravanaprasanth CreditAttribution: saravanaprasanth at DrupalPartners for Innoppl Technologies Pvt. Ltd commentedHi Loziju,
Can you please commit the above changes and close this ticket?
Comment #7
poker10 CreditAttribution: poker10 at ActivIT s.r.o. commentedIt would be great if we can add a test for this. But I agree that these two error together are confusing.
Comment #8
poker10 CreditAttribution: poker10 at ActivIT s.r.o. commentedThis looks good to me. And it is not relevant for D9 - the user picture is a regular field here. +1 to RTBC.
------------
By adding the
'file_validate_extensions' => array()
we are removing the allowed extensions check by this validator at all, see thefile_save_upload()
:But it seems like that this check is not required, because the same functionality is also provided by the
'file_validate_is_image' => array()
. So it can't go beyond supported image extensions at any case.This removal would also help this issue: #2539478: [D7] Allow image fields to use any extensions the current image toolkit supports (instead of hard-coding jpg, png and gif only). Currently the list of allowed extensions on this field was hardcoded and restricted by default values of
file_validate_extensions()
(seefile_save_upload()
and example below) and cannot be overrided (unlike the same check in theimage_field_widget_form()
which is using the extensions dynamically).So no easy way to allow for example
.webp
here. Developers needed to replace the whole validation function here:$form['#validate'][] = 'user_validate_picture';
. After this change (and the related issue), all image extensions supported by the image toolkit will be allowed on that field.-----------
I am reuploading the patch from #2 with the test added (patch itself is unchanged). It clearly demonstrates that there are two error messages in the specified case (before the patch).
I have also changed the generated file which is being uploaded in the
testNoPicture()
function. The reason is that actually for html type, there were two files returned by thedrupalGetTestFiles()
(firsthtml-1.txt
and secondhtml-2.html
). The test was incorrectly using the first.txt
file instead of the correct.html
one (.txt
file does not trigger the additional validation message, so I have to correct it).Just a note, this can be commited regardless of the related issues (it is not blocking them).
Comment #10
yashingole CreditAttribution: yashingole at QED42 for Drupal India Association commentedComment #11
yashingole CreditAttribution: yashingole at QED42 for Drupal India Association commentedVerified and tested patch #8 on Drupal 7.x. Patch was applied successfully and looks good to me.
Testing steps:
1. Install 7.x
2. Navigate to People>edit the user.
3. Upload dcox type file in Picture.
4. Observe the error.
5. Apply the patch.
6. Repeat 2 and 3
7. Observe the error.
Testing Result:
1. After applying the patch the error is correctly displayed "The specified file Test Document.docx could not be uploaded. Only JPEG, PNG and GIF images are allowed.".
Can be move to RTBC
Screenshots are attached for reference:
Comment #12
mcdruidI think this makes sense, and it's great to add the test... plus excellent if it makes it easier to support other valid image formats.
Worth adding a comment when we set the list of extensions to a blank array to explain why though, I think.
I'll do that on commit.
Comment #14
mcdruidThank you everyone!