MIME Content Type is not properly handled while attaching the files
Recently upgraded to 4.0.4. While doing the Information security testing, Team raised a vulnerability
"The application does not validate the content type of file being uploaded. This would enable an adversary to upload a malicious file onto the server."
If I change the extension of a file from .com to .pdf, Redmine allows file upload in issues as attachment and stores contenttype as "*application/pdf*" in table.
Due to this issue we are unable to roll out new version.
Urgent help required.
What do you think about this workaround? It prevents web browsers from opening crafted PDF files inline.
diff --git a/app/models/attachment.rb b/app/models/attachment.rb index a334024b4..3ec3e0e69 100644 --- a/app/models/attachment.rb +++ b/app/models/attachment.rb @@ -249,7 +249,7 @@ class Attachment < ActiveRecord::Base end def is_pdf? - Redmine::MimeType.of(filename) == "application/pdf" + Redmine::MimeType.of(filename) == "application/pdf" && MimeMagic.by_magic(File.open(diskfile)).type == 'application/pdf' end def is_video?