validateForm() method is not implemented which allows to load any kind of file to parse. Here is example, the most simplistic implementation which allows you to improve security of this module:

public function validateForm(array &$form, FormStateInterface $form_state) {
$this->file = file_save_upload('csv_file', $form['csv']['csv_file']['#upload_validators'], FALSE, 0);

if (!$this->file) {
$form_state->setErrorByName('csv_file', $this->t('Provided file is not a CSV file or is corrupted.'));
}
}

IMHO module should be avoided until it is fixed as module introduces high security risk.

Comments

spectatorx created an issue. See original summary.

steffenr’s picture

StatusFileSize
new1.39 KB

Hi @spectatorx - i added a patch containing the validateForm you mentioned.
I also changed the use of the $_FILES array while uploading. All data is available via $this->file and can be used in createNode function.

steffenr’s picture

Status: Active » Needs review
davy duthoit’s picture

StatusFileSize
new36.97 KB

Tested, everything seems fine.
The wrong file extensions throw an error:

error message

  • Drupal Version 8.7.7
  • Web Server nginx/1.17.3
  • PHP Version 7.3.9 Memory limit 512M
  • Database Version 11.5 System PostgreSQL
davy duthoit’s picture

Assigned: spectatorx » davy duthoit
Status: Needs review » Reviewed & tested by the community
avpaderno’s picture

Issue tags: -Security
dhayanandan_k’s picture

Status: Reviewed & tested by the community » Fixed

Patch applied and verified. Please check and close this issue

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.