SECURITY FIX: Only allow image file types by default.

This prevents remote code execution in Apache servers version 2.3.9+ with the default configuration (AllowOverride None). Since Apache version 2.3.9, .htaccess support is disabled by default: https://httpd.apache.org/docs/current/mod/core.html#allowoverride Without the configuration in the .htaccess file, allowing uploads of all file types allows remote code execution. Thanks to @lcashdol for reporting the vulnerability (Closes #3514).
blueimp · Oct 13, 2018 · aeb47e5 · aeb47e5
1 parent 39607fd
commit aeb47e5
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/server/php/index.php b/server/php/index.php
@@ -12,4 +12,17 @@
 
 error_reporting(E_ALL | E_STRICT);
 require('UploadHandler.php');
-$upload_handler = new UploadHandler();
+$upload_handler = new UploadHandler(array(
+
+  // SECURITY NOTICE:
+  // Only change the accept_file_types setting after making sure that any
+  // allowed file types cannot be executed by the webserver in the files
+  // directory (e.g. PHP scripts), nor executed by the browser when downloaded
+  // (e.g. HTML files with embedded JavaScript code).
+  // e.g. in Apache, make sure the provided .htaccess file is present in the
+  // files directory and .htaccess support has been enabled:
+  // https://httpd.apache.org/docs/current/howto/htaccess.html
+
+  // By default, only allow file uploads with image file extensions:
+  'accept_file_types' => '/\.(gif|jpe?g|png)$/i'
+));