New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

file extension checks needed for polyglot files #9

Closed
thejh opened this Issue Dec 18, 2014 · 6 comments

Comments

Projects
None yet
3 participants
@thejh

thejh commented Dec 18, 2014

Circlean bypass for zipfiles:

dd if=img.png bs=8 count=1 of=stealth.zip
cat a.zip>>stealth.zip

Works for PDF, too:

dd if=img.png bs=8 count=1 of=stealth.pdf
echo>>stealth.pdf
cat<out.pdf>>stealth.pdf

You might want to start whitelisting file extensions and checking that file extension and detected MIME type match.

@Rafiot

This comment has been minimized.

Show comment
Hide comment
@Rafiot

Rafiot Dec 18, 2014

Member

Good point, thank for the hint.

I will look for a somehow generic way to match the mimetypes with the extensions. We will have a problem with some specific types that have many different extensions for the same mime type.

Member

Rafiot commented Dec 18, 2014

Good point, thank for the hint.

I will look for a somehow generic way to match the mimetypes with the extensions. We will have a problem with some specific types that have many different extensions for the same mime type.

@Rafiot

This comment has been minimized.

Show comment
Hide comment
@Rafiot

Rafiot Dec 19, 2014

Member

I will implement the fix with the information provided here:
https://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/conf/mime.types

Member

Rafiot commented Dec 19, 2014

I will implement the fix with the information provided here:
https://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/conf/mime.types

@adulau

This comment has been minimized.

Show comment
Hide comment
@adulau

adulau May 18, 2015

Member

The new version of the code PyCIRCLean (standalone Python code) fixed this security bug:

CIRCL/PyCIRCLean@ac372dc

So this code will limit the issue of the polygot files. Tests and feedback more than welcome.

Member

adulau commented May 18, 2015

The new version of the code PyCIRCLean (standalone Python code) fixed this security bug:

CIRCL/PyCIRCLean@ac372dc

So this code will limit the issue of the polygot files. Tests and feedback more than welcome.

@Rafiot

This comment has been minimized.

Show comment
Hide comment
@Rafiot

Rafiot May 27, 2015

Member

This bug is now completely fixed by this commit: CIRCL/PyCIRCLean@420e87c

Member

Rafiot commented May 27, 2015

This bug is now completely fixed by this commit: CIRCL/PyCIRCLean@420e87c

@Rafiot Rafiot closed this May 27, 2015

@Rafiot

This comment has been minimized.

Show comment
Hide comment
@Rafiot

Rafiot May 27, 2015

Member

and this one that removed the buggy code: def6c26

Member

Rafiot commented May 27, 2015

and this one that removed the buggy code: def6c26

@Rafiot Rafiot added the TCODE-1 label Jun 17, 2015

@Rafiot

This comment has been minimized.

Show comment
Hide comment
@Rafiot
Member

Rafiot commented Jun 17, 2015

#24

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment