Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-3252

rename html file uploads filenames to prevent xss scripting

          Details

          • Type: Bug
          • Status: Done/Fixed
          • Priority: Major
          • Resolution: Fixed/Completed
          • Affects Version/s: 2.0
          • Fix Version/s: 2.1
          • Component/s: None
          • Labels:
            None

            Description

            html / htm file extensions should not be considered safe. We also also ensure that the filename does not have a dot "fileExtension" in the middle of the string since apache will use that file extension handler

            We do not rename if user has administer CiviCRM / access CiviMail since those users might want to preserve the filename when they use it as an attachment etc

              Attachments

                Activity

                  People

                  • Assignee:
                    kurund Kurund Jalmi
                    Reporter:
                    lobo Donald A. Lobo
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    0 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: