Yii 1.1.8 - download files with arbitrary extension using CMultiFileUpload
Good all the time of day!
Recently, when making a website on Yii, we found such a hole in uploading files to the server using CMultiFileUpload (for which special thanks to Mx21 ): you can take a file with an arbitrary extension, add something like .jpg to the end of the name, and then fill the server with CMultiFileUpload widget . Even despite the fact that the property 'accept' has, for example, the values of 'jpeg | jpg | gif | png', i.e. There should not be anything other than this kind of pictures, the following happened: the file was uploaded to the server without any problems, and .jpg was cut off in the final file and the source file appeared on the server with the extension it was before we renamed it.
The version of the framework used by us is 1.1.8.
It is treated as follows:
In the /framework/web/js/jquery.multifile.js file, you need to fix lines 222-223:
rather, replace them with the following code:
')
Those. added a check for the number of points in the name of the uploaded file, if more than one point receives the error message “Invalid file type”.
Recently, when making a website on Yii, we found such a hole in uploading files to the server using CMultiFileUpload (for which special thanks to Mx21 ): you can take a file with an arbitrary extension, add something like .jpg to the end of the name, and then fill the server with CMultiFileUpload widget . Even despite the fact that the property 'accept' has, for example, the values of 'jpeg | jpg | gif | png', i.e. There should not be anything other than this kind of pictures, the following happened: the file was uploaded to the server without any problems, and .jpg was cut off in the final file and the source file appeared on the server with the extension it was before we renamed it.
The version of the framework used by us is 1.1.8.
It is treated as follows:
In the /framework/web/js/jquery.multifile.js file, you need to fix lines 222-223:
if(MultiFile.accept && v && !v.match(MultiFile.rxAccept))//{ ERROR = MultiFile.STRING.denied.replace('$ext', String(v.match(/\.\w{1,4}$/gi))); rather, replace them with the following code:
var str=this.value; var pattern='\.'; var pos = str.indexOf(pattern); for (var count = 0; pos != -1; count++) pos = str.indexOf(pattern, pos + pattern.length); if((MultiFile.accept && v && !v.match(MultiFile.rxAccept)) || count>1)//{ ERROR = MultiFile.STRING.denied.replace('$ext', String(v.match(/\.\w{1,4}$/gi))); ')
Those. added a check for the number of points in the name of the uploaded file, if more than one point receives the error message “Invalid file type”.
Source: https://habr.com/ru/post/132533/
All Articles