User tests: Successful: Unsuccessful:
Added a check in the rename action of com_media to make sure that the new extension does not violate the list of allowed extensions.
No check of extension
Check of extension
Status | New | ⇒ | Pending |
Category | ⇒ | Unit Tests Repository Administration |
Labels |
Added:
J4 Media Manager
?
|
Category | Unit Tests Repository Administration | ⇒ | Libraries Front End Plugins |
Labels |
Added:
?
|
I have added the extensions for php3-8, good catch! @brianteeman @richard67
I have tested this item
Tested as described in testing instructions.
not sure where your list comes from but I would add
.MSI – A Microsoft installer file.
.JAR – .JAR files contain executable Java code. If you have the Java runtime installed, .JAR files will be run as programs.
but there are a lot more https://www.lifewire.com/list-of-executable-file-extensions-2626061
not sure where your list comes from but I would add
.MSI – A Microsoft installer file.
.JAR – .JAR files contain executable Java code. If you have the Java runtime installed, .JAR files will be run as programs.but there are a lot more https://www.lifewire.com/list-of-executable-file-extensions-2626061
Don't know ether but msi (not sure about jar) will not be execute by a webserver.
Don't know ether but msi (not sure about jar) will not be execute by a webserver.
Neither would many of the others (unless it is a windows webserver)
@brianteeman @HLeithner added MSI and JAR
I still dont understand why this list is different to the list in the other PR or why this list is even used when the other list could be.
One list, less mistakes.
@SniperSister maybe we should create the static list of executables in the framework input filter package and then they can be maintained as a single list that way as @brianteeman says rather than having our duplicate here in the MediaHelper class?
@wilsonge it's not a duplicate, it's only partially identical with the list in the InputFilter focussing on file types that might be executable directly within the web server, resulting in code executions. The list in the mediahelper also includes file types that are able to execute code not only in the webserver but also in a general OS scenario or even in the browser
still better to have just one to avoid mistakes or just have the list in mediahelper extend the inputfilter
/me doesnt see/agree with your supposed differences - especially for windows servers
or just have the list in mediahelper extend the inputfilter
This makes sense to me too. Let's go with it!
Whilst your at it can you just expand the comment on the class property to mention your explanation so it's super clear for people in the future. Thankyou :)
@SniperSister please can you look at this. It needs to be ready by tuesday for the final RC or it's not going in :)
Labels |
Added:
?
?
Removed: ? ? |
I have tested this item
Checked with values from both arrays (input filter and media helper) that the manipulated request results in a 500 response and the file is not renamed.
Status | Pending | ⇒ | Fixed in Code Base |
Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2021-08-08 17:36:08 |
Closed_By | ⇒ | wilsonge | |
Labels |
Added:
?
?
Removed: ? ? |
Why is it not using the list of filters here #35001
Why are the two lists different eg php5, php6 etc
Surely there should be just one list