Problem/Motivation
It is possible to upload files with arbitrary extensions into the config full import form. The files then fail extraction, but the file extension is not validated in the first place.
The security team is happy with this being a public hardening issue because only those with a restricted permission can access this form
Proposed resolution
Validate the file extensions. We cannot rely on the regular #upload_validators
for this because those only work for managed files.
Steps to reproduce
Remaining tasks
Update the patch
Add tests
Review
Commit
User interface changes
Instead of cryptic error messages from the tar extractor, a proper error message is displayed when uploading incorrect files in the config import form.
API changes
None.
Data model changes
None.
Comment | File | Size | Author |
---|---|---|---|
#19 | reroll_diff_19.txt | 3.16 KB | Tanuj. |
#19 | 2659910-19.patch | 1.77 KB | Tanuj. |
config-import-file-validate.patch | 1.68 KB | tstoeckler | |
Comments
Comment #2
tstoecklerComment #4
Daniel_Rempe CreditAttribution: Daniel_Rempe commentedThe test in ConfigImportUploadTest creates a .txt file instead of a .tar ball for upload testing and therefore the test fails.
Comment #5
larowlanAdded note to summary that security team is OK with this being public as its a restricted permission
Comment #18
quietone CreditAttribution: quietone at PreviousNext commentedThis is still true for Drupal 10.1.x. However, this is not a bug (I asked in #bugsmash) so changing to a task. Also adding Usability tag because of the change in behavior in the UI.
I have updated the Issue Summary.
Comment #19
Tanuj. CreditAttribution: Tanuj. as a volunteer and at Srijan | A Material+ Company for Drupal India Association commentedUpdated the patch for Drupal: 10.1.x.