fixed avatar eicar check

bigbluebutton / greenlight

A really simple end-user interface for your BigBlueButton server.

GNU Lesser General Public License v3.0

789 stars 3.8k forks source link

fixed avatar eicar check #5779

Closed SilentFlameCR closed 4 months ago

SilentFlameCR commented 4 months ago

setAvatar now sending original_avatar and eidted avatar for the clamav check. Scanning for viruses fixed for avatar.

sonarcloud[bot] commented 4 months ago

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

defnull commented 4 months ago

The avatar that is actually stored and later displayed to visitors is not scanned? I can simply send a normal image as user[original_avatar] and a malicious one as user[avatar] to bypass the clamav check.

farhatahmad commented 4 months ago

It's still scanned in the user.rb file as a backup

https://github.com/bigbluebutton/greenlight/blob/3f64bef1c4e67a68f19e01cf6dbf90c81d3f9039/app/models/user.rb#L221-L229

defnull commented 4 months ago

Ah, so this is just for generating a proper error message on upload, I see. Thanks for the explanation.