Able to upload a virus file to Files section
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Robert Lyon | ||
17.04 |
Fix Released
|
High
|
Unassigned | ||
17.10 |
Fix Released
|
High
|
Unassigned | ||
18.04 |
Fix Released
|
High
|
Unassigned | ||
18.10 |
Fix Released
|
High
|
Robert Lyon |
Bug Description
If I try to upload the benign test virus file called "eicar.com" from https:/
However, if I try to upload the eicar_com.zip file it lets me (which is bad) but understandable as the signature of the virus file can be hidden via compression. And a user could only be infected if they download the zip and extract it locally.
But if I then press the 'Decompress' button it extracts the zip file and doesn't complain. This is bad as all one needs to do to upload a virus is to wrap it in a zip file and then extract it and now they can trick another user to click on the file directly.
When importing a zip file via Importer and clamav is on it checks the files of the zip for viruses but when extracting a zip file in Files section it does not.
We need to tidy this up so that uploading a zip file gets checked properly as well.
CVE References
information type: | Private Security → Public Security |
Note to self:
Files that are in play lib/uploadmanag er.php - holds function that does scan import/ file/lib. php - looks to do clamav correctly artefact/ file/extract. php- looks to not do clamav check
htdocs/
htdocs/
htdocs/