[Koha-bugs] [Bug 27286] Patron picture-upload.pl allows arbitrary file extension during upload

Fri, 28 Nov 2025 12:33:31 -0800 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=27286

David Nind <[email protected]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #189978|0                           |1
        is obsolete|                            |

--- Comment #5 from David Nind <[email protected]> ---
Created attachment 190027
  -->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=190027&action=edit
Bug 27286: Patron picture-upload.pl allows arbitrary file extension during
upload

This patch introduces strict validation for filenames in the patron
image upload tool. It addresses VAPT security concerns regarding
"double extension" attacks (e.g., image.php.jpg or archive.php.zip).

The patch ensures that:
1. Filenames containing more than one period are rejected.
2. Only strictly allowed extensions (zip, png, gif, jpg, jpeg, xpm) are
accepted.

Test Plan:

1. Pre-patch check:
   a. Go to Tools -> Upload patron images.
   b. Rename an image file to 'test.php.jpg'.
   c. Upload this file.
   d. Observe that the upload is accepted, but the filename itself is not
      flagged as invalid.
   e. Create a valid file named 'test.php.zip' (with valid content).
   f. Upload this file.
   g. Result: The upload proceeds.

2. Apply the patch.

3. Verify rejection (images):
   a. Go to Tools -> Upload patron images.
   b. Attempt to upload 'test.php.jpg'.
   c. Result: The tool stops immediately with a "BADFILENAME" error message.
   d. Attempt to upload 'test.v1.jpg' (valid image, extra dot).
   e. Result: The tool stops immediately with a "BADFILENAME" error message.

4. Verify rejection (zip):
   a. Attempt to upload 'archive.php.zip'.
   b. Result: The tool stops immediately with a "BADFILENAME" error message.

5. Verify valid upload:
   a. Attempt to upload 'patron.jpg' (standard valid file).
   b. Result: Upload succeeds.
   c. Attempt to upload 'patrons.zip' (standard valid zip).
   d. Result: Upload succeeds and files are unpacked.

6. Sign-off.

Signed-off-by: David Nind <[email protected]>

-- 
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[email protected]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

Reply via email to