search

FriendsOfFlarum / upload

The file upload extension with insane intelligence for your Flarum forum.
https://discuss.flarum.org/d/4154
MIT License
177 stars 96 forks source link

Don't rename file extensions #221

Closed eddiewebb closed 4 years ago

eddiewebb commented 4 years ago

Extension is rewriting the file extension of files on upload, making them invalid for download.

I want to let users upload .gpx files, they are technically XML, but the extension is important so they can be imported to GPS devices and apps.

The problem, as best I can discover is that every browser/os combo has their own way of interrogating local files to decide the mime-type they send to the server. Most OS have a list or registry they maintain that is inspected by the browser.

The plugin currently "guesses" extension based on mime type, and only if that is missing, falls back to actual client provided extension. Because the extension renames the file to *.xml instead of leaving it as .gpx making it invalid for import elsewhere.

I'm not suggesting a change in the way files are inspected during upload, I agree inspecting filetype is safer than trusting the user provided extension to allow/block the upload.

I am just suggesting we should just not alter the extension when we save it, I do not agree that adds security to the server or folks who later download it.

askvortsov1 commented 4 years ago

What if, on upload, we saved files with an arbitrary, nonthreatening extension, and then returned them with the proper one on download?

eddiewebb commented 4 years ago

that's fine, because it suits my specific need, but also -- extensions are not threatening, files are.

Extension spoofing exploits work in the opposite direction, malicious file types cloaked under safe extensions, usually hidden by modern OS.

If the filetype itself (in this case detected as XML) is safe, the extension wont make it dangerous, replacing the extension wont make it safe.

(simple proof, save a shell script as .doc (or .anything)-- it will still execute as a script if invoked)

$ echo "echo \"im a script\"" > word.doc
$ ./word.doc 
im a script
dartrax commented 4 years ago

(I think) I'm having the same/related issue. I try to upload an .3mf file, but that gets changed to .zip. https://en.wikipedia.org/wiki/3D_Manufacturing_Format The applications that can open such files (3d print slicers) expect a .3mf, not a .zip. It would be nice if file extensions do not get changed.