[Koha-bugs] [Bug 27286] Patron picture-upload.pl allows arbitrary file extension during upload

Wed, 26 Nov 2025 10:45:09 -0800 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=27286

--- Comment #4 from Saiful Amin <[email protected]> ---
Created attachment 189978
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=189978&action=edit
Bug 27286: Patron picture-upload.pl allows arbitrary file extension during
upload

This patch introduces strict validation for filenames in the patron
image upload tool. It addresses VAPT security concerns regarding
"double extension" attacks (e.g., image.php.jpg or archive.php.zip).

The patch ensures that:
1. Filenames containing more than one period are rejected.
2. Only strictly allowed extensions (zip, png, gif, jpg, jpeg, xpm) are
accepted.

Test Plan:

1. Pre-patch check:
   a. Go to Tools -> Upload patron images.
   b. Rename an image file to 'test.php.jpg'.
   c. Upload this file.
   d. Observe that the upload is accepted, but the filename itself is not
      flagged as invalid.
   e. Create a valid file named 'test.php.zip' (with valid content).
   f. Upload this file.
   g. Result: The upload proceeds.

2. Apply the patch.

3. Verify rejection (images):
   a. Go to Tools -> Upload patron images.
   b. Attempt to upload 'test.php.jpg'.
   c. Result: The tool stops immediately with a "BADFILENAME" error message.
   d. Attempt to upload 'test.v1.jpg' (valid image, extra dot).
   e. Result: The tool stops immediately with a "BADFILENAME" error message.

4. Verify rejection (zip):
   a. Attempt to upload 'archive.php.zip'.
   b. Result: The tool stops immediately with a "BADFILENAME" error message.

5. Verify valid upload:
   a. Attempt to upload 'patron.jpg' (standard valid file).
   b. Result: Upload succeeds.
   c. Attempt to upload 'patrons.zip' (standard valid zip).
   d. Result: Upload succeeds and files are unpacked.

6. Sign-off.

-- 
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

Reply via email to