?
avatar GeraintEdwards
GeraintEdwards
26 Feb 2015

when installing an uploaded package file the $_FILES data is passed through a safety filter via JFilterInput::isSafeFile but for short PHP files the check

if ($options['php_tag_in_content'] && strstr($buffer, '<?php'))

BUT if one of the files in the zip file is short e.g.

<?php 
defined('_JEXEC') or die('Restricted access');

then the zip algorithm doesn't compress the content when creating the zip package and leaves the raw file content in the zip file. This means that the uploaded file will incorrectly fail this safety check when there is no reason for it to do so.

avatar GeraintEdwards GeraintEdwards - open - 26 Feb 2015
avatar joomla-cms-bot joomla-cms-bot - change - 26 Feb 2015
Labels Added: ?
avatar Bakual
Bakual - comment - 26 Feb 2015

Should be already fixed with #6180

Closing.

avatar Bakual Bakual - change - 26 Feb 2015
Status New Closed
Closed_Date 0000-00-00 00:00:00 2015-02-26 09:37:04
avatar Bakual Bakual - close - 26 Feb 2015

Add a Comment

Login with GitHub to post a comment