[#31629] - File check Problem in InputFilter::isSafeFile()
- Closed
- 11 Feb 2022
- Medium
- Build: staging
- # 31629
Steps to reproduce the issue
Create a Zip-File witch contain <? and upload it in custom code like descriped in https://docs.joomla.org/How_to_use_the_filesystem_package.
Inside JFile::upload($src, $dest) InputFilter::isSafeFile() is called witch find <? in the zip-file and return false
I created a Zip-File on Macos with two jpg's and the resulting file contains <?
No hack or attack. Just normal use of the Archiver.
Expected result
Move uploaded file from PHP temp folder to filepath stored in $dest.
Actual result
File not moved.
System information (as much as possible)
PHP 7.4 and Joomla! 3.9.23
Additional comments
I fond a way to upload my zip file with following code:
$safeFileOptions['php_ext_content_extensions'] = array('rar', 'tar', 'gz', 'tgz', 'bz2', 'tbz', 'jpa');
JFile::upload($src, $dest, false, false, $safeFileOptions)
Perhaps it is better to search <?php instead of <? beause in PHP-Shorttags are deprecated and not useable by default.
joomla-cms-bot
- | Labels |
Added:
?
|
||
I don't use the Mediamanager. It is not a Mediamanager only bug/problem.
The InputFilter::isSafeFile() file checking results in false positiv file checks.
beause in PHP-Shorttags are deprecated and not useable by default.
Not every Joomla Site is running the latest bleeding edge PHP - therefore Joomla MUST ASSUME that short tags are still available and still enabled.
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2022-02-11 15:44:50 |
| Closed_By | ⇒ | Quy | |
| Labels |
Added:
No Code Attached Yet
Removed: ? |
||
Duplicate #26408