Accepted media type image allows files with .jpg extension to be uploaded even if contents are not an image

RocketChat / Rocket.Chat

The communications platform that puts data protection first.

https://rocket.chat/

Other

40.06k stars 10.34k forks source link

Accepted media type image allows files with .jpg extension to be uploaded even if contents are not an image #14904

Open kendrickluong opened 5 years ago

kendrickluong commented 5 years ago

Description:

Accepted Media Types filter on file uploads set to image/* incorrectly accepts files that are not images but have .jpg extension

Steps to reproduce:

Settings > File Upload > Accepted Media Types: images/*
Upload an actual_image.jpg file goes through
Upload random.cer file Media Type Not Accepted Application/pkix-cert
Rename random.cer to random.jpg file goes through

Expected behavior:

random.jpg should not be uploaded

Server Setup Information:

Version of Rocket.Chat Server: 1.0.3
Operating System: RHEL 7.2 (reports as 4.15.0-1035-aws)
Deployment Method: docker
Number of Running Instances: 3
DB Replicaset Oplog:
NodeJS Version: 8.11.4
MongoDB Version: 3.6.12

reetp commented 5 years ago

I think the problem is that automatic detection of file types is something less than reliable and can still be fooled. It isn't Rocketchats fault - it's an industry wide issue.

eg https://stackoverflow.com/questions/24662959/use-file-content-to-determine-mime-type-with-node-js

I'd suggest this can closed and added as a NFR here:

https://github.com/RocketChat/feature-requests

but I think it is unlikely to get fixed in hurry.

Jacko50 commented 5 years ago

I managed to work around this by installing incron and having a trigger whenever a file is put into the Rocket uploads directory to look for "image" in the output of the command file --mime-type and deleting if false.

kendrickluong commented 5 years ago

I managed to work around this by installing incron and having a trigger whenever a file is put into the Rocket uploads directory to look for "image" in the output of the command file --mime-type and deleting if false.

What's the behaviour of rocketchat if incron delete the file? Does the send/receiver both get broken links?

github-actions[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

4li-ra commented 3 years ago

any proggress?

anoniz commented 2 weeks ago

any progress? did this issue got solved?

reetp commented 2 weeks ago

any progress? did this issue got solved?

This is a way old issue but I don't think there is an easy solution short of some sort of massive processing either on the client or on the server.

Please note there are a plethora of issues related to file uploads and file types.

This has some interesting comments on mime type detection for instance:

https://github.com/RocketChat/Rocket.Chat/issues/31906