muarachmann
commented
5 years ago Yes we would not want any kind of file be uploaded imagine some freaking .bat file up there and running a cron job. U can validate by size and extensions
On Sun, Mar 10, 2019, 16:45 Gicheha notifications@github.com wrote:
A) Your outreachy username : gicheha
B) Issue title : Patient ID card can be updated using executable files and scripts
C) Site affected: The patient site, on the documents section
D) Bug report date : March 10, 2019
E) OS/ browser used: Windows/Chrome
F) Which workflow module in LHEHR : “Documents” under “Patient”.
G) Steps to reproduce the bug : ●Select the Patient/Client menu item and select the finder option. ● Select a patient or search for one using the search fields. ● Once a patient is selected, select the summary option on the patients menu. ● On the summary screen, select the documents tab. ● Select patient information ● Select Patient ID card ● Choose the file to upload then click on the upload button
H) At point of bug, the expected behavior : Files of undesired format should be rejected and a prompt shown to advise the user on the appropriate file format.
I) Details of what actually happened : There was no prompt or alert box for the invalid information, whereas the PHP errors and warnings were displayed on the screen.
J) Provide relevant screenshots : Patient ID card file upload [image: excecutable_file] https://user-images.githubusercontent.com/9331796/54087407-a45ea480-4363-11e9-9e23-ebd2a684aeaa.PNG
k) Estimated bug Severity : The bug is critical as it is a security flaw
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/LibreHealthIO/lh-ehr/issues/1428, or mute the thread https://github.com/notifications/unsubscribe-auth/APl-XlOXB8yBeJ2m5_ct2uiQCM0wq3UCks5vVSirgaJpZM4bnVa7 .
Gicheha
aethelwulffe
GH-aditya
A) Your outreachy username : gicheha
B) Issue title : Patient ID card can be updated using executable files and scripts
C) Site affected: The patient site, on the documents section
D) Bug report date : March 10, 2019
E) OS/ browser used: Windows/Chrome
F) Which workflow module in LHEHR : “Documents” under “Patient”.
G) Steps to reproduce the bug : ●Select the Patient/Client menu item and select the finder option. ● Select a patient or search for one using the search fields. ● Once a patient is selected, select the summary option on the patients menu. ● On the summary screen, select the documents tab. ● Select patient information ● Select Patient ID card ● Choose the file to upload then click on the upload button
H) At point of bug, the expected behavior : Files of undesired format should be rejected and a prompt shown to advise the user on the appropriate file format.
I) Details of what actually happened : There was no prompt or alert box for the invalid information, whereas the PHP errors and warnings were displayed on the screen.
J) Provide relevant screenshots : Patient ID card file upload
k) Estimated bug Severity : The bug is critical as it is a security flaw