related to
child of
duplicate of
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0035199 | mantisbt | performance | public | 2024-12-23 22:53 | 2025-03-01 18:40 |
| Reporter | raspopov | Assigned To | community | ||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | closed | Resolution | fixed | ||
| Product Version | 2.27.0 | ||||
| Target Version | 2.27.1 | Fixed in Version | 2.27.1 | ||
| Summary | 0035199: Improvement of the file_get_mime_type() function | ||||
| Description | Profiler can be used not only for acceleration but also to find unusual behaviour of the program. For example, it showed strange behaviour of MantisBT when rendering files, when getting MIME type of files before rendering for css and js. It would seem that the type of such files is predefined and MantisBT should just return it as a constant. But a check showed that this process takes an unexpectedly large amount of CPU time. The And that's odd, especially since MantisBT already has a caching facility for such primitive file types. But this code is called after, not before loading of the MIME database. | ||||
| Tags | No tags attached. | ||||
 |
file_get_mime_type 3 after.png (7,840 bytes) |
 |
Reading 0013193, this has security implications. The override is fine for plugins (which are trusted), but file_get_mime_type() is also used for attachments (= user input), and we need to make sure these can't be served in a way that can cause them to be rendered in the user's browser. |
|
|
Thanks for the helpful comment. I'm not quite sure how exactly PHP determines the MIME of files with different settings to decide if there was protection or not. I want to test it by myself. But you mean to say, for example, a browser will receive an I temporary removed the PR because I messed up the base branch of PR anyway. :-( |
|
|
New PR: 2064. I made that the changes only affect plugin files for now. I also thought that the best optimization of reading files is not to read them at all, so I added a correct ‘Last-Modified’ header and an ‘If-Modified-Since’ handler. I've also updated the array of MIME types. Do I need to add some more popular formats, like "svg"? |
|
|
Re: 0035199:0069605 - To be honest, I have not done a full analysis of this myself, I based my comment on what @dhx wrote in 0013193. I'm not sure we would have an actual vulnerability here, just saying to be careful.
Yes we assume that plugins are trusted code. It's the responsibility of the admin installing them that they are not enabling rogue code in their Mantis.
I think that would make sense, yes. |
