Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I'm wondering what can happen if a translation server tricks the client into downloading a .php file instead of a .po one. So we may need to hardcode the file extension.
Is there any case for downloading files with other extensions?
Also to review the display of all the information provided by the server.
Comments
Comment #1
-redShadow- CreditAttribution: -redShadow- commentedIMHO,
1. an untrusted translation server would always be quite a risk, even if it doesn't try to inject php files: by returning a malicious HTML string, containing JavaScript it could run any sort of XSS attack against the users of the site (including the user #1).
(so, we hope that our trusted translation server isn't sending us XSS-ed strings or PHP files..)
2. Plus, if permissions are correct on files in the download directory, there should be no chance for an attacker to run them once uploaded.
Comment #2
Gábor Hojtsy@-redShadow-: Drupal (and as a consequence the import code) already has provisions to protect you from XSS being imported in translations.
Comment #3
Sutharsan CreditAttribution: Sutharsan commented