No primitive type check on Default image of user Profile, so any file can be uploaded without a stronger test than extension (e.g. MIME type check).

How to reproduce the issue:

  • Take an executable file a.exe and rename it as a.jpg
  • As administrator, open "Picture settings for User" on /admin/config/people/accounts/fields/user.user.user_picture
  • Load a.jpg as default file for Picture

The file will be uploaded on public path like /sites/default/files/default_images/a.jpg and will be downloadable by users.

Anyway, the image will try to be scaled with image styles on something like /sites/default/files/styles/thumbnail/public/default_images/a.jpg?itok=5fVRfdpX and that request returns Internal Server Error on that request when visiting an user profile if "View user information" is granted to anonymous users, so the original exe file is not downloaded.

CommentFileSizeAuthor
#10 Screenshot 2020-07-09 09.00.27.png34.84 KBpameeela
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

chirale’s picture

chirale CreditAttribution: chirale commented
Version: 8.0.0-beta12 » 8.0.0-beta14

The issue persists on beta-14 but an error "This value should be of the correct primitive type" is now correctly provided. The file path is reachable just above the message and it is not deleted at once. The file must be deleted immediately (or not copied from temp) to avoid to be reached knowing the full path.

cilefen’s picture

cilefen CreditAttribution: cilefen commented
Version: 8.0.0-beta14 » 8.1.x-dev
Issue tags: +Security, +Needs issue summary update

Based on #1, this issue needs a new title and summary update.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

pameeela’s picture

pameeela CreditAttribution: pameeela commented
Status: Active » Closed (duplicate)
Issue tags: +Bug Smash Initiative
Related issues: +#2377747: Incorrect node create validation error when an invalid image is attached to a field
FileSize
Screenshot 2020-07-09 09.00.27.png34.84 KB

Thanks for reporting this issue. We rely on issue reports like this one to resolve bugs and improve Drupal core.

As part of the Bug Smash Initiative, we are triaging Drupal core issues with the priority 'Major'.

I'm unable to reproduce this currently on 9.0.x:
Install Drupal
Create a file test.exe
Change to test.jpg
Edit user/1 profile
Try to upload test.jpg as the user picture
I get the following error and the file is not uploaded, the filename is not a link, and I confirmed it is not reachable at the path with test.jpg:

I suspect it was fixed as part of #2377747: Incorrect node create validation error when an invalid image is attached to a field so I'm going to close this as a duplicate.