16817: bypassing file upload restrictions - LimeSurvey bugs and feature requests

This bug affects 1 person(s).

258

ID	Project	Category	View Status	Date Submitted	Last Update

16817	Bug reports	Security	public	2020-11-04 14:52	2020-11-16 09:28

Reporter	Abdulrahman Ahmad Al Bataineh	Assigned To	ollehar
Priority	none	Severity	minor
Status	closed	Resolution	fixed

Summary	16817: bypassing file upload restrictions
Description	bypassing file upload restrictions must check the mimetype before upload file
Tags	No tags attached.
Attached Files	tempsnip.png (263,162 bytes)

Bug heat	258
Complete LimeSurvey version number (& build)	3.22.21+200622
I will donate to the project if issue is resolved	No
Browser
Database type & version	any
Server OS (if known)
Webserver software & version (if known)
PHP Version	7.1

User List	There are no users monitoring this issue.

ollehar 2020-11-05 13:02 administrator ~60559	Please update to the latest version and try again. Thank you.

DenisChenu 2020-11-05 15:28 developer ~60566	@ollehar : i think we can merge it, i really think we must merge it https://github.com/LimeSurvey/LimeSurvey/pull/1638/files

ollehar 2020-11-05 15:29 administrator ~60567	PR looks good, but not needed, since it's not possible to rename file extensions.

guest 2020-11-10 10:46 viewer ~60600	Fix committed to master branch: http://bugs.limesurvey.org/plugin.php?page=Source/view&id=30712

lime_release_bot 2020-11-16 09:28 administrator ~60644	Fixed in Release 4.3.27+201116

LimeSurvey: master c8becd05 2020-11-10 11:42 Abdulrahman Ahmad Al Bataineh Committer: GitHub Details Diff	Fixed issue 16817: Missing MIME type check on survey import (#1638) * fix bypassing-file-upload-restrictions in import survey * using LSFileHelper to check mimetype & remove 'application/octet-stream' * add 'application/xml','application/zip','text/xml' to allow list mime types Co-authored-by: a.albatayinah@psau.edu.sa <a.albatayinah@psau.edu.sa>		Affected Issues 16817
	mod - application/controllers/admin/surveyadmin.php		Diff File

Date Modified	Username	Field	Change
2020-11-04 14:52	Abdulrahman Ahmad Al Bataineh	New Issue
2020-11-04 14:52	Abdulrahman Ahmad Al Bataineh	File Added: tempsnip.png
2020-11-05 13:02	ollehar	Note Added: 60559
2020-11-05 13:03	ollehar	Assigned To	=> ollehar
2020-11-05 13:03	ollehar	Status	new => feedback
2020-11-05 15:28	DenisChenu	Note Added: 60566
2020-11-05 15:29	ollehar	Note Added: 60567
2020-11-10 10:46	Abdulrahman Ahmad Al Bataineh	Changeset attached	=> LimeSurvey master c8becd05
2020-11-10 10:46	guest	Note Added: 60600
2020-11-16 09:28	lime_release_bot	Note Added: 60644
2020-11-16 09:28	lime_release_bot	Status	feedback => closed
2020-11-16 09:28	lime_release_bot	Resolution	open => fixed