[#29865] - [4.0] Add upload file name extension check to com_joomlaupdate's Upload & Update function
- Closed
- 1 Jul 2020
- Medium
- Build: 4.0-dev
- Draft PR
- # 29865
- Diff
- richard67:4.0-dev-upload-file-name-check-joomlaupdate
- Pending Hound Hound is busy sniffing around... Details
User tests: Successful: Unsuccessful:
Pull Request for Issue #29763 (at least partly).
Summary of Changes
This Pull Request (PR) adds a check of the file name extension (or suffix) to the Upload & Update function of the Joomla Update component.
Currently only zip files work with Upload & Update, and so this PR will only allow files with extension (or suffix) ".zip" (case insensitive). If later more formats (".tar.gz", ".tar.bz2", ...) will be supported, the regular expression used for this new check can be easily extended by the new suffixes (has to be done at 2 places), or a server side check could check for the availability of the particular PHP modules and pass the regular expression to the js e.g. with a data- attribute or a hidden input field.
Important: This is NOT a security fix, it only shall prevent from accidently selecting the wrong file for upload and then having to wait until the upload completes just for getting an error message which is not really user friendly when unpacking the file fails. Further server-side checks, e.g. by mime type or checks of the content) have to be implemented separate from this PR with some future PR(s).
Testing Instructions
Will be added soon. Until this has been done I will leave this PR in draft status. As soon as draft status will be removed, the PR can be tested.
Actual result BEFORE applying this Pull Request
Will be added soon.
Expected result AFTER applying this Pull Request
Will be added soon.
Documentation Changes Required
None.
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Administration com_joomlaupdate Language & Strings JavaScript Repository NPM Change |
@mbabker Read the description of this PR and you will see that your valid issues are not subject of this PR. This PR shall only be a first pre-upload check against accidentially selecting the wrong file. Further validations will be done with later PRs. Regarding the native HTML feature for the file input type I will check.
Thanks to @mbabker pointing me to the right way for the client-side pre-update check. I really appreciate this. It should be done with a new PR. Clsoing this one since it does it in a wrong silly way. Additional server-side validations I'll do with future PRs if nobody else is faster.
| Status | Pending | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-07-01 12:14:50 |
| Closed_By | ⇒ | richard67 | |
| Labels |
Added:
?
NPM Resource Changed
?
|
||
File input types allow you to specify the allowed MIME and/or extension. Use the native HTML features instead of creating your own logic.
Also, filename validation is a VERY VERY VERY WEAK VALIDATION. You need to do server side content validation, not relying on a JavaScript “does the upload end in .zip” check. You get people who upload PHP files with a .jpg suffix all the time, what stops them from doing the same for .zip?