search

nextcloud / apps

🚚 This is an archive. Let us know if you want to take over maintainership of any of these apps
11 stars 29 forks source link

External sites - use of custom icons causes a security warning #20

Closed j-ed closed 5 years ago

j-ed commented 7 years ago

Affected apps

The external sites app

Expected behaviour

The external sites app shouldn't cause a security warning when custom icons have been copied to the ./apps/external/img directory and have been assigned to external site links. Additional icons in that directory should be excluded from the security check or the app should be extended to load icons from a different location which is not checked by the security function.

2016-12-11 11_19_26-administration - nextcloud

Actual behaviour

The external sites app causes a security warning when custom icons are copied to the ./apps/external/img directory and assigned to an external site link.

Steps to reproduce

  1. Copy a new icon file to the directory ./apps/external/img
  2. Open Administration -> Additional settings -> External sites
  3. Assign a new icon to an external site link.
  4. Install a new app etc. so that a complete security check is forced. (unfortunately I don't know if it's possible to force a check from the command line.
  5. A security warning is shown because an unknown file was found in the directory:

2016-12-12 20_09_23-mozilla firefox

Server configuration

Operating system: Linux 3.2.82 Web server: Apache2 2.4.23 Database: MariaDB 5.5.53 PHP version: 5.6.23 Nextcloud version: 10.0.2

Client configuration

Browser: Firefox 50.0.2 Operating system: Windows 7

Logs

No errors have been logged

j-ed commented 7 years ago

A possible solution would be to allow to choose an image from a location outside the official directory tree and store in the the database, similar as it is done for contacts pictures and avatars.

moretocome commented 7 years ago

Same issue.

Server configuration: Operating system: Raspbian 8/4.4.38-v7+ armv7l (32 bit) Web server: nginx/1.10.2 Database: MariaDB 10.0.29 PHP version: 7.0.15-1 Nextcloud version: 11.0.1

Client configuration: Browser: Firefox 51.0.1 Operating system: Linux Mint 18.1

juliusstoerrle commented 6 years ago

This was solved by https://github.com/nextcloud/external/pull/46 as this is the duplicate of https://github.com/nextcloud/external/issues/5

jancborchardt commented 5 years ago

Closing as per @juliusstoerrle’s comment.