View Issue Details

IDProjectCategoryView StatusLast Update
0026668mantisbtbugtrackerpublic2020-02-03 20:41
Reporterobmsch Assigned To 
Status newResolutionopen 
Product Version2.23.0 
Summary0026668: file attachment oddity

The simple truth is that the config options "$g_allowed_files" and "$g_disallowed_files" operate
on extensions, whereas file uploads (drop, rest) use the content mime type.
So for example with '$g_disallowed_files = "pdf";' any upload of ".pdf" errors out, but ".pdf.fake" succeeds
and happily displays the fake pdf(!) on demand later on.
-> Check paths for arbitrary code executions/injections.

TagsNo tags attached.


There are no notes attached to this issue.