Uploaded files are not checked for file type until after they're put into the permanent directory

PHSCDC / itocdc-2015-www

An insecure PHP web app for the Iowa State University 2015 IT Olympics Cyber Defense Competition (ITOCDC)

MIT License

0 stars 1 forks source link

Uploaded files are not checked for file type until after they're put into the permanent directory #20

Closed jummy0 closed 9 years ago

jummy0 commented 9 years ago

When files are uploaded, they are moved to the permanent directory, then checked for filetype. Then, if the file has an invalid filetype, an error is thrown, but nothing is actually done with the file.

ngiddings commented 9 years ago

This is the most serious issue we've found so far, in my opinion. It should be a simple fix, but I am working on finishing SQL query security. I'm going to assign this issue to Jimmy.

ngiddings commented 9 years ago

I did it for you, Jimmy. I rearranged all the checks so that uploads cannot be made unless you are logged in and the file has the proper extension. This issue has to be left open since the branch with my patch has not been tested.

ngiddings commented 9 years ago

On second thought, we should close this so it's more clear what needs done.