This is not a bug in Symfony. Being smart with files and never, ever blindly trusting file extensions uploaded by end users (!!!) is up to the developer.
However, it would indeed be very straightforward to block as you suggest, so dropping a .htaccess to that effect in the web/uploads folder of a newly generated project might be a good idea. Just as the Propel and Doctrine ORMs make it naturally difficult to goof and execute user input as SQL code, such a .htaccess file would make things a little safer "out of the box" for file upload management. As for Diem, you logged in as an admin who should presumably have all privileges, so I think you should check and make sure this is really permitted for an "ordinary" Diem user before you rush to the conclusion that it is a security hole in Diem. (Our Apostrophe CMS does limit what can be uploaded. But Apostrophe has seen a lot of deployment in environments with many users where that sort of caution is warranted.) On Sat, Jan 30, 2010 at 11:08 AM, Éric Rogé <[email protected]> wrote: > THE ISSUE > > When a user uploads a file in a form, Symfony stores it by default in > the "web/uploads" directory and the files in that directory can be > reach by any user. > > Imagine : a hacker succeed to upload a file named attack.php that > contents that line: > > <?php echo file_get_contents('../../config/databases.yml'); ?> > > We see what I mean ? Outch. > > What does the hacker needs ? Just a form that doesn't check well > enough the uploaded files extensions. > > > How the hell could it happen ? By at least 3 ways : > > 1/ The developer doesn't know his job or has been lazy : Checking file > types ? Why ? How ? > > 2/ The developer wanted to build a flexible app > > A job application, users have to upload their CV. Which extensions > should I accept in this form ? Hmmm, Pdf for sure. And Word files. And > Pages. And Open Office and Rtf and... Come on ! Let's just say that > all files are welcome as long as they aren't too big ! > > 3/ Trickier one : Php is turned on in unusual files extensions > > A myspace-like service lets users upload their own css for their > private space. > Few weeks later, php is turned on in css files to add a brand new cool > feature. Great, now the hacker just have to upload an attack.css file > with php in it... > > > REAL LIVE SAMPLE > > I'm afraid that these kind of forms are very easy to find. > The first I've found : the Diem project > > Go to the admin > http://demo.diem-project.org/admin.php/content/site/sites-using-diem/new > (use "admin" as login and password) > > In the thumbnail field, you can upload any php file, it will be > published online.... > > > FIX PROPOSAL > > Php should definitively be disabled by default in the uploads > directory : > > <Directory "/path/to/my/sfProject/web/uploads"> > php_flag engine off > </Directory> > > The fix could release in a .htaccess added to the uploads directory. I > think it should be easiest way for many symfony users. > > -- > You received this message because you are subscribed to the Google Groups > "symfony developers" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/symfony-devs?hl=en. > > -- Tom Boutell P'unk Avenue 215 755 1330 punkave.com window.punkave.com -- You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en.
