Problem/Motivation

The module does not restrict what is inside the zip file so it could be used to upload HTML files containing dangerous JS or PHP files.

Steps to reproduce

  1. Create a zip file containing a HTML file with some script in it.
  2. Create a bundle with a zip file field (configured to use the public files)
  3. As a user that can create nodes in the bundle, create a new node with the zip file in the field
  4. Browse to the extracted HTML file in /sites/default/files/: the JS is executed

Proposed resolution

The module should either restrict which extensions are allowed inside the zip file or require a restricted permission to upload a zip file.

Remaining tasks

User interface changes

API changes

Data model changes

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Comments

prudloff created an issue. See original summary.

prudloff’s picture

The "Tracking script" field could also be used to insert dangerous JS and should probably require a restricted permission.

vhin0210 made their first commit to this issue’s fork.

vhin0210 changed the visibility of the branch 3556308-module-allows-uploading to hidden.

vhin0210’s picture

Status: Active » Fixed

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.