View Issue Details

This bug affects 1 person(s).
 258
IDProjectCategoryView StatusLast Update
16817Bug reportsSecuritypublic2020-11-16 09:28
ReporterAbdulrahman Ahmad Al Bataineh Assigned Toollehar  
PrioritynoneSeverityminor 
Status closedResolutionfixed 
Summary16817: bypassing file upload restrictions
Description

bypassing file upload restrictions
must check the mimetype before upload file

TagsNo tags attached.
Attached Files
tempsnip.png (263,162 bytes)
Bug heat258
Complete LimeSurvey version number (& build)3.22.21+200622
I will donate to the project if issue is resolvedNo
Browser
Database type & versionany
Server OS (if known)
Webserver software & version (if known)
PHP Version7.1

Users monitoring this issue

There are no users monitoring this issue.

Activities

ollehar

ollehar

2020-11-05 13:02

administrator   ~60559

Please update to the latest version and try again. Thank you.

DenisChenu

DenisChenu

2020-11-05 15:28

developer   ~60566

@ollehar : i think we can merge it, i really think we must merge it
https://github.com/LimeSurvey/LimeSurvey/pull/1638/files

ollehar

ollehar

2020-11-05 15:29

administrator   ~60567

PR looks good, but not needed, since it's not possible to rename file extensions.

guest

guest

2020-11-10 10:46

viewer   ~60600

Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30712

lime_release_bot

lime_release_bot

2020-11-16 09:28

administrator   ~60644

Fixed in Release 4.3.27+201116

Related Changesets

LimeSurvey: master c8becd05

2020-11-10 10:42:05

Abdulrahman Ahmad Al Bataineh


Committer: GitHub Details Diff
Fixed issue 16817: Missing MIME type check on survey import (#1638)

* fix bypassing-file-upload-restrictions in import survey

* using LSFileHelper to check mimetype & remove 'application/octet-stream'

* add 'application/xml','application/zip','text/xml' to allow list mime types

Co-authored-by: a.albatayinah@psau.edu.sa <a.albatayinah@psau.edu.sa>
Affected Issues
16817
mod - application/controllers/admin/surveyadmin.php Diff File

Issue History

Date Modified Username Field Change
2020-11-04 14:52 Abdulrahman Ahmad Al Bataineh New Issue
2020-11-04 14:52 Abdulrahman Ahmad Al Bataineh File Added: tempsnip.png
2020-11-05 13:02 ollehar Note Added: 60559
2020-11-05 13:03 ollehar Assigned To => ollehar
2020-11-05 13:03 ollehar Status new => feedback
2020-11-05 15:28 DenisChenu Note Added: 60566
2020-11-05 15:29 ollehar Note Added: 60567
2020-11-10 10:46 Abdulrahman Ahmad Al Bataineh Changeset attached => LimeSurvey master c8becd05
2020-11-10 10:46 guest Note Added: 60600
2020-11-16 09:28 lime_release_bot Note Added: 60644
2020-11-16 09:28 lime_release_bot Status feedback => closed
2020-11-16 09:28 lime_release_bot Resolution open => fixed