You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When I use Laravel-Stapler without Validation, malicious file can upload public directory or storage.
An error(Symfony Componet Exception) is displayed with the screen, but I check my storage, malicious file is exist.
It is thought that the cause of this problem happens by not confirming file mime type.
Because a similar problem happened in the version of the former "paperclip", I added a postscript to the link which seemed to serve as a reference.
I don't think this is an issue with this plugin; it's realy be an issue with the end-user's application application that they use this plugin in. Paperclip also/provides handles/provides mime type validation, Stapler doesn't. The only thing this plugin verifies is that the uploaded file isn't spoofed, and that validation is done via the Symfony Uploaded File Object. Aside from that, it's entirely the responsibility of the end user to verify the mime types of their files as needed by the constraints of their specific application.
When I use Laravel-Stapler without Validation, malicious file can upload public directory or storage.
An error(Symfony Componet Exception) is displayed with the screen, but I check my storage, malicious file is exist.
It is thought that the cause of this problem happens by not confirming file mime type.
Because a similar problem happened in the version of the former "paperclip", I added a postscript to the link which seemed to serve as a reference.
Just FYI:
・Paperclip Security Release
https://robots.thoughtbot.com/paperclip-security-release
・Fix a possible security issue with spoofing
thoughtbot/paperclip@9aee411
The text was updated successfully, but these errors were encountered: