file extension checks needed for polyglot files #9

Closed
thejh opened this Issue Dec 18, 2014 · 6 comments

Projects

None yet

3 participants

@thejh
thejh commented Dec 18, 2014

Circlean bypass for zipfiles:

dd if=img.png bs=8 count=1 of=stealth.zip
cat a.zip>>stealth.zip

Works for PDF, too:

dd if=img.png bs=8 count=1 of=stealth.pdf
echo>>stealth.pdf
cat<out.pdf>>stealth.pdf

You might want to start whitelisting file extensions and checking that file extension and detected MIME type match.

@Rafiot
Member
Rafiot commented Dec 18, 2014

Good point, thank for the hint.

I will look for a somehow generic way to match the mimetypes with the extensions. We will have a problem with some specific types that have many different extensions for the same mime type.

@Rafiot
Member
Rafiot commented Dec 19, 2014

I will implement the fix with the information provided here:
https://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/conf/mime.types

@adulau
Member
adulau commented May 18, 2015

The new version of the code PyCIRCLean (standalone Python code) fixed this security bug:

CIRCL/PyCIRCLean@ac372dc

So this code will limit the issue of the polygot files. Tests and feedback more than welcome.

@Rafiot
Member
Rafiot commented May 27, 2015

This bug is now completely fixed by this commit: CIRCL/PyCIRCLean@420e87c

@Rafiot Rafiot closed this May 27, 2015
@Rafiot
Member
Rafiot commented May 27, 2015

and this one that removed the buggy code: def6c26

@Rafiot Rafiot added the TCODE-1 label Jun 17, 2015
@Rafiot
Member
Rafiot commented Jun 17, 2015

#24

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment