[CRM-20468] Attachment.create API HTML escapes the uploaded content - CiviCRM Issue Tracker

Details

Type: Bug
Status: Done/Fixed
Priority: Trivial
Resolution: Fixed/Completed
Affects Version/s: 4.7.18
Fix Version/s: 4.7.28
Component/s: None
Labels:
- PatchSubmitted

Versioning Impact:
Patch (backwards-compatible bug fixes)
Documentation Required?:
None
Funding Source:
Needs Funding
Verified?:
No

Description

When using the REST API to upload attachments using the Attachment.create API, the "content" field gets escaped by 'CRM_Utils_API_HTMLInputCoder'. This can result in corrupt file attachments if they happen to have a '<' character in them (ex: with a JPG, malicious cat photo attached).

How to reproduce: c.f. attached python2 script.

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Download All

Attachments

cat-photo.jpg
2017-04-24 19:50
205 kB
Mathieu Lutfy
test-civirest-api.py
2017-04-24 19:51
0.9 kB
Mathieu Lutfy

Issue Links

links to

PR: civicrm-core#10876: CRM-20468: HTMLInputCoder: do not escape the content field, breaks attachments

Activity

People

Assignee:

Unassigned

Reporter:

Mathieu Lutfy

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

2017-04-24 19:38

Updated:

2017-11-24 14:55

Resolved:

2017-11-24 14:55