Project

General

Profile

Actions

Defect #34367

closed

Allowed filename extensions of attachments can be circumvented

Added by Holger Just almost 4 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Attachments
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

In #20008, Redmine introduced the ability to restrict the allowed extensions of attachment filenames.

This check is not exhaustive though, meaning it is easily possible to subvert the restriction. There are two ways how a user can still use any arbitrary filename despite restrictions in place:

  • As reported by Bartu Ogur via email to , it is also possible to update the filename of an uploaded attachment when it is attached to an object. The filename of the original file is checked here only during attachments#upload when the attachment is initially created. However, we do allow to overwrite the filename (and content type) of an attachment when it is attached to an object in redmine:source:trunk/lib/plugins/acts_as_attachable/lib/acts_as_attachable.rb#L105.
  • Furthermore, after an attachment was initially added with an allowed extension and was successfully attached to an object, the filename can be edited freely to set any filename, including with a forbidden extension.

For administrators trying to restrict the types of files which can be uploaded, these limitations are not obvious, making the usage of this feature potentially dangerous (also with Redmine relying on the extension to determine the content type in a lot of areas).

To fix the reported issue and to enforce the filename everywhere on change, we could use the attached patch against current trunk. With this patch, each change of the filename will be validated against the list of allowed attachments. This will remove the ability to set a currently forbidden extension to any file, regardless on when it was created.


Files

Actions #2

Updated by Holger Just over 3 years ago

bump.

Actions #3

Updated by Go MAEDA over 3 years ago

  • Status changed from New to Confirmed
  • Target version set to 4.1.3

Confirmed the issue. Setting the target version to 4.1.3.

Actions #4

Updated by Go MAEDA over 3 years ago

  • Status changed from Confirmed to Closed
  • Assignee set to Go MAEDA
  • Resolution set to Fixed

Committed the patch. Thank you for handling this issue.

Actions #5

Updated by Holger Just over 3 years ago

Thank you!

Actions #6

Updated by Marius BĂLTEANU over 3 years ago

  • Status changed from Closed to Reopened
  • Target version changed from 4.1.3 to 4.0.9
Actions #7

Updated by Go MAEDA over 3 years ago

  • Status changed from Reopened to Resolved
Actions #8

Updated by Marius BĂLTEANU over 3 years ago

  • Status changed from Resolved to Closed
Actions #9

Updated by Holger Just over 3 years ago

CVE-2021-31865 has been assigned for this.

Actions #10

Updated by Marius BĂLTEANU over 2 years ago

  • Project changed from 2 to Redmine
  • Category set to Attachments
Actions

Also available in: Atom PDF