Code

Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#3531 closed (invalid)

ImageField - possible script injection

Reported by: Piotr Maliński <riklaunim@…> Owned by: adrian
Component: Database layer (models, ORM) Version: master
Severity: Keywords:
Cc: sam@… Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

ImageField field validates files using MIME which isn't 100% ok. It will allow uploading *py *php *pl or any other file extension when it will have image MIME signature at the beginning:

cat image.png code.php > upload_me.php

It's dangerous for shared hosting and other where media folders can execute scripts like PHP where <?PHP starts the code and makes the binary image part meaningless for the interpreter (could look like this).

Example: screenshot - 11.py uploaded as image. Check the extensions

Attachments (0)

Change History (4)

comment:1 Changed 7 years ago by mtredinnick

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to invalid
  • Status changed from new to closed

Thanks for the report (and the thinking behind it), however checking externsions is a not a good way of doing security. It is approach used by Microsoft in Windows and one of the reasons it is so easy to exploit that platform. Forcing people to use particular extensions (or any extension at all) for a file is not good practice. MIME types exist to avoid this very problem.

Uploading images (or other files) into a directory where the contents are automatically executed as CGI scripts is the real problem here. It just shouldn't be done (executing files that start with garbage and looking for meaningful strings in the middle of them is another problem). There is, in general, no 100% reliable way to check that something is just an image (or other type of file -- after all, we don't just allow image uploading if you use the FileField field, for example) and not *also* a file that might be mysteriously executed by an interpreter that processes any junk it is fed. It is quite possible that an image could legitimately contain the "magic string" that triggers execution by some language interpreter.

This is security problem, but the problem is on the side of the sever doing the uploads into an executable directory (or possibly serving files with an incorrect MIME type).

comment:2 Changed 7 years ago by Piotr Maliński <riklaunim@…>

Extension checking could be as extra feature - not as a replacement.

comment:3 Changed 7 years ago by SmileyChris

Piotr, if you wanted to do something like that, it'd probably be better to try decoding it with PIL to see if it's a real image.

comment:4 Changed 7 years ago by anonymous

  • Cc sam@… added

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.