View Issue Details

IDProjectCategoryView StatusLast Update
14708Bug reportsSecuritypublic2020-05-15 17:15
Reporterritapas Assigned ToDenisChenu  
Status closedResolutionfixed 
Product Version3.15.x 
Fixed in Version3.17.x 
Summary14708: Upload files question type does not actually check file type

The "upload file" question type does only check file extension but not the actual type. This allows, for instance, uploading php code as a ".gif" file.

Steps To Reproduce

Rename a php script as .gif, the upload it in a "upload file" question.

TagsNo tags attached.
Complete LimeSurvey version number (& build)Version 3.15.5+181115
I will donate to the project if issue is resolvedNo
Sync to Zoho Project
Database & DB-Version MariaDB 5.5.60
Server OS (if known)
Webserver software & version (if known)
PHP Versionrh-php71-1-1


parent of 14989 closedDenisChenu Problem can't upload file 
parent of 15624 closed File Upload not working for iOS 13.2 




2019-04-02 15:02

reporter   ~51276

After further observation, we didn't found a way to execute code on the server via a forged uploaded file, so I believe this issue severity might be lower than expected.



2019-05-28 16:26

reporter   ~52132

Hello there our company is trying to adopt Limesurvey so we ran a security audit before adoption and they discovered three security issues blocking adoption.

Two of them are related to Upload Question Plugin. One of this two is related on missing content type validation. They mean if we expect a jpeg file also content type must be validated, not only file extension.

The security issue here isn't related to executable php code but to malicious binary files disguised

I'd like to inspect code but I'm not really aware about it, do it reside inside UploaderController.php?



2019-05-29 11:17

developer   ~52145

Last edited: 2019-05-29 11:22

View 2 revisions

Right : we check extension, not mimetype

Still an issue

PS : maybe we can (in PHP)

  1. use mime_content_type to get all mimeType allowed
  2. Use CFileHelper::getMimeType to compare mimeType


2019-05-29 14:11

developer   ~52157

Move category : security to Survey taking. All client action are not a security fix for server.



2019-05-29 14:13

developer   ~52158

Ops … sorry … the original issue is about real security …



2019-05-31 17:57

developer   ~52259



2019-06-03 17:03

developer   ~52279

Fix committed to master branch:



2019-06-04 13:52

reporter   ~52290

Thank you for your effort! : )



2019-06-04 14:07

developer   ~52291

If you want to update «manually» there are some other fix after this one …

You can get the new controller here :

I think it can work for all 3.X version (not tested) (3.17.X sure at 100%)



2019-06-04 14:22

reporter   ~52293

Thank you

Related Changesets

LimeSurvey: master d3eb007e

2019-05-31 17:39:42


Details Diff
Fixed issue 14708: Upload files question type does not actually check file type
Dev: use CFileHelper::getExtensionByMimeType and compare with allowed type
Dev: Move all error system before checking preview or not
Dev: since all must end with Yii::app()->end, last one is an unkown error
Affected Issues
mod - application/controllers/UploaderController.php Diff File

Issue History

Date Modified Username Field Change
2019-04-01 12:06 ritapas New Issue
2019-04-02 15:02 ritapas Note Added: 51276
2019-05-28 16:26 tassoman Note Added: 52132
2019-05-29 11:17 DenisChenu Note Added: 52145
2019-05-29 11:22 DenisChenu Note Edited: 52145 View Revisions
2019-05-29 14:11 DenisChenu Category Security => Survey taking
2019-05-29 14:11 DenisChenu Note Added: 52157
2019-05-29 14:13 DenisChenu Category Survey taking => Security
2019-05-29 14:13 DenisChenu Note Added: 52158
2019-05-29 14:14 DenisChenu Assigned To => DenisChenu
2019-05-29 14:14 DenisChenu Status new => assigned
2019-05-31 17:57 DenisChenu Status assigned => resolved
2019-05-31 17:57 DenisChenu Resolution open => fixed
2019-05-31 17:57 DenisChenu Fixed in Version => 3.17.x
2019-05-31 17:57 DenisChenu Note Added: 52259
2019-06-03 17:03 DenisChenu Changeset attached => LimeSurvey master d3eb007e
2019-06-03 17:03 DenisChenu Note Added: 52279
2019-06-04 13:52 tassoman Note Added: 52290
2019-06-04 14:07 DenisChenu Note Added: 52291
2019-06-04 14:22 ritapas Note Added: 52293
2019-06-26 19:08 DenisChenu Relationship added parent of 14989
2020-03-09 15:36 c_schmitz Status resolved => closed
2020-05-15 17:15 DenisChenu Relationship added parent of 15624