Config (Full) Import form does not validate file extensions [#2659910]

Problem/Motivation

It is possible to upload files with arbitrary extensions into the config full import form. The files then fail extraction, but the file extension is not validated in the first place.

The security team is happy with this being a public hardening issue because only those with a restricted permission can access this form

Proposed resolution

Validate the file extensions. We cannot rely on the regular #upload_validators for this because those only work for managed files.

Steps to reproduce

Remaining tasks

Update the patch
Add tests
Review
Commit

User interface changes

Instead of cryptic error messages from the tar extractor, a proper error message is displayed when uploading incorrect files in the config import form.

API changes

None.

Data model changes

None.

Comment	File	Size	Author
#19	reroll_diff_19.txt	3.16 KB	Tanuj.
#19	2659910-19.patch	1.77 KB	Tanuj.
#19	10.1.x: PHP 8.1 & MySQL 5.7 29,007 pass, 6 fail 9.5.x: PHP 8.1 & MySQL 5.7 30,277 pass, 6 fail
	config-import-file-validate.patch	1.68 KB	tstoeckler
	8.0.x: PHP 5.5 & MySQL 5.5 14,472 pass, 3 fail

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

31 January 2016 at 17:09

tstoeckler created an issue. See original summary.

Comment #2

tstoeckler

he/him

German

Essen, Germany

CreditAttribution: tstoeckler as a volunteer commented 31 January 2016 at 17:32

Component:

configuration system

» config.module

Comment #3

31 January 2016 at 17:43

Status:

Needs review

» Needs work

The last submitted patch, config-import-file-validate.patch, failed testing.

Comment #4

Daniel_Rempe CreditAttribution: Daniel_Rempe commented 31 January 2016 at 19:40

The test in ConfigImportUploadTest creates a .txt file instead of a .tar ball for upload testing and therefore the test fails.

Comment #5

larowlan

🇦🇺🏝.au GMT+10

CreditAttribution: larowlan at PreviousNext commented 31 January 2016 at 21:29

Issue summary:

View changes

Added note to summary that security team is OK with this being public as its a restricted permission

Comment #6

31 January 2016 at 21:29

Version:

8.0.x-dev

» 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Comment #7

31 January 2016 at 21:29

Version:

8.1.x-dev

» 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Comment #8

31 January 2016 at 21:29

Version:

8.2.x-dev

» 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Comment #9

31 January 2016 at 21:29

Version:

8.3.x-dev

» 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Comment #10

31 January 2016 at 21:29

Version:

8.4.x-dev

» 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Comment #11

31 January 2016 at 21:29

Version:

8.5.x-dev

» 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Comment #12

31 January 2016 at 21:29

Version:

8.6.x-dev

» 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Comment #13

31 January 2016 at 21:29

Version:

8.8.x-dev

» 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Comment #14

31 January 2016 at 21:29

Version:

8.9.x-dev

» 9.2.x-dev

Drupal 8 is end-of-life as of November 17, 2021. There will not be further changes made to Drupal 8. Bugfixes are now made to the 9.3.x and higher branches only. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Comment #15

31 January 2016 at 21:29

Version:

9.2.x-dev

» 9.3.x-dev

Comment #16

31 January 2016 at 21:29

Version:

9.3.x-dev

» 9.4.x-dev

Drupal 9.3.15 was released on June 1st, 2022 and is the final full bugfix release for the Drupal 9.3.x series. Drupal 9.3.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.4.x-dev branch from now on, and new development or disruptive changes should be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Comment #17

31 January 2016 at 21:29

Version:

9.4.x-dev

» 9.5.x-dev

Drupal 9.4.9 was released on December 7, 2022 and is the final full bugfix release for the Drupal 9.4.x series. Drupal 9.4.x will not receive any further development aside from security fixes. Drupal 9 bug reports should be targeted for the 9.5.x-dev branch from now on, and new development or disruptive changes should be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Comment #18

quietone CreditAttribution: quietone at PreviousNext commented 12 March 2023 at 22:43

Category:	Bug report	» Task
Issue summary:	View changes
Issue tags:		+Bug Smash Initiative, +Usability

This is still true for Drupal 10.1.x. However, this is not a bug (I asked in #bugsmash) so changing to a task. Also adding Usability tag because of the change in behavior in the UI.

I have updated the Issue Summary.

Comment #19

Tanuj. CreditAttribution: Tanuj. as a volunteer and at Srijan | A Material+ Company for Drupal India Association commented 14 March 2023 at 07:20

File	Size
2659910-19.patch	1.77 KB
10.1.x: PHP 8.1 & MySQL 5.7 29,007 pass, 6 fail 9.5.x: PHP 8.1 & MySQL 5.7 30,277 pass, 6 fail
reroll_diff_19.txt	3.16 KB

File

Size

2659910-19.patch

1.77 KB

10.1.x:
PHP 8.1 & MySQL 5.7 29,007 pass, 6 fail

9.5.x:
PHP 8.1 & MySQL 5.7 30,277 pass, 6 fail

reroll_diff_19.txt

3.16 KB

Updated the patch for Drupal: 10.1.x.

Comment #20

14 March 2023 at 07:20

Version:

9.5.x-dev

» 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.