I'm wondering what can happen if a translation server tricks the client into downloading a .php file instead of a .po one. So we may need to hardcode the file extension.

Is there any case for downloading files with other extensions?

Also to review the display of all the information provided by the server.

Comments

-redShadow-’s picture

-redShadow- CreditAttribution: -redShadow- commented

IMHO,

1. an untrusted translation server would always be quite a risk, even if it doesn't try to inject php files: by returning a malicious HTML string, containing JavaScript it could run any sort of XSS attack against the users of the site (including the user #1).
(so, we hope that our trusted translation server isn't sending us XSS-ed strings or PHP files..)

2. Plus, if permissions are correct on files in the download directory, there should be no chance for an attacker to run them once uploaded.

Gábor Hojtsy’s picture

Gábor Hojtsy
he/him
Primary language Hungarian
Location Hungary
CreditAttribution: Gábor Hojtsy commented

@-redShadow-: Drupal (and as a consequence the import code) already has provisions to protect you from XSS being imported in translations.

Sutharsan’s picture

Sutharsan CreditAttribution: Sutharsan commented
Issue summary: View changes
Status: Active » Closed (outdated)