No primitive type check on Default image of user Profile, so any file can be uploaded without a stronger test than extension (e.g. MIME type check).
How to reproduce the issue:
- Take an executable file a.exe and rename it as a.jpg
- As administrator, open "Picture settings for User" on /admin/config/people/accounts/fields/user.user.user_picture
- Load a.jpg as default file for Picture
The file will be uploaded on public path like /sites/default/files/default_images/a.jpg and will be downloadable by users.
Anyway, the image will try to be scaled with image styles on something like /sites/default/files/styles/thumbnail/public/default_images/a.jpg?itok=5fVRfdpX and that request returns Internal Server Error on that request when visiting an user profile if "View user information" is granted to anonymous users, so the original exe file is not downloaded.
Comment | File | Size | Author |
---|---|---|---|
#10 | Screenshot 2020-07-09 09.00.27.png | 34.84 KB | pameeela |
Comments
Comment #1
chirale CreditAttribution: chirale commentedThe issue persists on beta-14 but an error "This value should be of the correct primitive type" is now correctly provided. The file path is reachable just above the message and it is not deleted at once. The file must be deleted immediately (or not copied from temp) to avoid to be reached knowing the full path.
Comment #2
cilefen CreditAttribution: cilefen commentedBased on #1, this issue needs a new title and summary update.
Comment #10
pameeela CreditAttribution: pameeela commentedThanks for reporting this issue. We rely on issue reports like this one to resolve bugs and improve Drupal core.
As part of the Bug Smash Initiative, we are triaging Drupal core issues with the priority 'Major'.
I'm unable to reproduce this currently on 9.0.x:
Install Drupal
Create a file test.exe
Change to test.jpg
Edit user/1 profile
Try to upload test.jpg as the user picture
I get the following error and the file is not uploaded, the filename is not a link, and I confirmed it is not reachable at the path with test.jpg:
I suspect it was fixed as part of #2377747: Incorrect node create validation error when an invalid image is attached to a field so I'm going to close this as a duplicate.