SniperSister
commented
7 years ago @zero24 can you take a look if all the fixes are included?
Open brianteeman opened 7 years ago
SniperSister
commented
7 years ago @zero24 can you take a look if all the fixes are included?
zero-24
commented
7 years ago @brianteeman I'm not sure what you mean.
In the commit linked above it is this file / method that was patched and is already patched in the framework package: https://github.com/joomla-projects/media-manager-improvement/blob/dev/libraries/vendor/joomla/filesystem/src/File.php#L51
And the filetype checks are also still intact: https://github.com/joomla-projects/media-manager-improvement/blob/dev/libraries/src/Helper/MediaHelper.php#L196
Can you please explain what kind of issue / changed code you see? Maybe I'm missing something as i was not involved in the original report back in 2013
brianteeman
commented
7 years ago all i was asking was for someone to make sure that the security issue was not inadvertently re-introduced. Not something I had the skill to do
laoneo
commented
6 years ago Where are we here? Can this issue being closed?
in j3 we had a security issue whereby simply checking for a . in a filename to locate the filetype was not enough as the code is different in j4 please can someone check that we are not reopening the vulnerability.
For reference the CVE is http://www.cvedetails.com/cve/cve-2013-5576
Probably @SniperSister or @mbabker can provide more info