Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(dev/core#1044) Extension/MIME-type matching should be case insensitive #14554

Merged
merged 1 commit into from
Jun 16, 2019
Merged

(dev/core#1044) Extension/MIME-type matching should be case insensitive #14554

merged 1 commit into from
Jun 16, 2019

Conversation

totten
Copy link
Member

@totten totten commented Jun 15, 2019

Overview

For CIVI-SA-2019-15, the delivery of file attachments was tightened to ensure that the file-extension and mime-type were in agreement. However, the check yields a false-negative in the common case where the filename has been capitalized. It should treat foo.jpg, foo.JPG, and FOO.JPG as equally valid.

This is a backport of #14544.

Before

  • When viewing a contact profile image ending with .JPG, there is an error
    message, Supplied mime-type does not match file extension.

After

  • When viewing a contact profile image ending with .JPG, the image is
    delivered.

Comments

See also:

@totten
(dev/core#1044) Extension/MIME matching should be case insensitive
caf7bcd 
Overview
--------

For CIVI-SA-2019-15, the delivery of file attachments was tightened to
ensure that the file-extension and mime-type were in agreement.  However,
the check yields a false-negative in the common case where the filename has
been capitalized.  It should treat `foo.jpg`, `foo.JPG`, and `FOO.JPG` as
equally valid.

Before
------

* When viewing a contact profile image ending with `.JPG`, there is an error
  message, `Supplied mime-type does not match file extension`.

After
-----

* When viewing a contact profile image ending with `.JPG`, the image is
  delivered.

Comments
--------

See also:

* https://civicrm.org/advisory/civi-sa-2019-15-xss-via-forged-mime-type
* https://lab.civicrm.org/dev/core/issues/1044
@civibot
Copy link

civibot bot commented Jun 15, 2019

(Standard links)

@civibot civibot bot added the 5.14 label Jun 15, 2019
@eileenmcnaughton
Copy link
Contributor

this is one of a small handful we should put in 5.14.1 release - I haven't totally formed a list yet

@eileenmcnaughton eileenmcnaughton merged commit 868c55c into civicrm:5.14 Jun 16, 2019
@totten totten deleted the 5.14-JPG branch June 17, 2019 00:13
@totten totten changed the title (dev/core#1044) Extension/MIME matching should be case insensitive (dev/core#1044) Extension/MIME-type matching should be case insensitive Jun 18, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
5.14 merge on pass
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@totten @eileenmcnaughton