XSS check for uploaded files |
|||
|---|---|---|---|
| Date: | 03/09/2010 | Show-stopper?: | |
| Status: | Unidentified | Reporter: | silenz |
| Reported in Version: | EE 1.6.8 | Assigned To: | Not Assigned |
| Keywords: | Control Panel, Publish, | ||
| Support Thread: | |||
Details
I’m not sure whether this is a bug or some semantics issue due to legacy code.
For all uploaded files regardless of their type the is_image-parameter is set to TRUE in core.upload.php line 741
return $REGX->xss_clean($data, TRUE);
That way PDF seem to have the tendency to fail in the last check of xss_clean()
if ($is_image === TRUE)
{
if ($str == $converted_string)
{
return TRUE;
}
else
{
return FALSE;
}
}
Is this intended behaviour?
Comment on Bug Report
| Posted by: Robin Sowell on 18 March 2010 9:30am | |
|
[ Permalink ]
I doubled checked with Jones after sxsw, because I suspected it was intentional but couldn’t be sure. It is intentional, as we can’t be sure how the data will be displayed. Since it’s possible it will be displayed in-browser, we’re treating it as a security risk. Thus it’s all being sent through xss_clean as an image type rather than just stripping and returning the string. But since it confused me too- I’m going to drop a code comment in there just so it’s clear in the future. Thanks for the ‘heads up’, silenz. |