tracker issue : CF-4130274

select a category, or use search below
(searches all categories and all time range)
Title:

FileGetMimeType()'s strict does not agree with fileupload()'s strict

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): Henry Ho / Henry Ho (Henry Ho)

Created: 03/18/2016

Components: Security

Versions: 10.0

Failure Type:

Found In Build/Fixed In Build: Final /

Priority/Frequency: Normal / All users will encounter

Locale/System: English / Win All

Vote Count: 1

Problem Description:

FileGetMimeType() with default strict = true cannot tell a fake jpeg that's really an executable.


Steps to Reproduce:

Rename any exe (e.g. 7z.exe from 7zip and gm.exe from GraphicsMagick) file to fake.jpg

FileGetMimeType('fake.jpg'), but fileupload() with strict=true identifies the file correctly as "application/octet-stream"

Actual Result:

"image/jpg"

Expected Result:

"application/ms-download" before it's renamed, or better yet "application/octet-stream"

Any Workarounds:

For images: IsImageFile() seems more reliable
For the rest, cannot count on this broken function!

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4130274

External Customer Info:
External Company:  
External Customer Name: Henry Ho
External Customer Email:  
External Test Config: My Hardware and Environment details:

Attachments:

Comments:

Verified the bug: On CF10, it displays "image/jpg". On CF11/2016 it displays "application/x-msdownload; format=pe32"
Comment by S P.
3264 | March 21, 2016 03:57:34 AM GMT
I'm glad to hear that this isn't an issue in CF11+. However, for those who may be forced to stick with CF10 (due to either financial or administrative limitations), this should be addressed. Even if 100% of CF10 developers/admins were made aware of this bug, there is too much of a chance that someone could count on this being a secure way to validate files, thus allowing easier ways for malicious actors to upload undesired payloads.
Vote by External U.
3265 | June 03, 2016 07:55:50 AM GMT