New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do not interfere with PDF files #31637
Conversation
@Hlavtox milestone 8.1 but targeting develop ? 🤔 |
The base branch was changed.
@matthieu-rolland @nicosomb Reapproval pls, I owe you a beer @MatShir fixed :D |
Hi ! It can be tested by a dev indeed. Thanks @Hlavtox ! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Warning!
This was introduced ON PURPOSE in a security fix GHSA-rc8c-v7rq-q392
So until we're sure this doesn't reopen a fixed security breach I prefer to block this. Besides I don't see why it's such a big issue not to be able to open the PDF in the browser, I can understand its "a bit" annoying but in face of security it's completely negligeable
@jolelievre OK, then this should be only put to upload directory .htaccess, so we block user uploaded PDFs, but not the ones in other folders. 👍 |
I don't understand how a server config is related to security, what if someone decides to use nginx or caddy to host PrestaShop ? Does it mean the "security fix" does not work ? |
So if understand well:
About PDFs uploaded in the BO:
If we don't trust a PDF uploaded by a merchant or an employee, why would we trust a PDF directly put into the server ?
About PDFs uploaded by a customer in the FO:
Solution proposal:
|
User untrusted file uploads
|
I was wondering the same thing. Does anyone know the answer? |
Oh I missed this question: Well by default PrestaShop provides htaccess configurations, for Apache. If one chooses not to use Apache but instead Nginx or Caddy, then he has to replicate those configurations himself. Our documentation provides a configuration example for Nginx: https://devdocs.prestashop-project.org/8/basics/installation/nginx/ you can see in the example that the |
@hibatallahAouadni There is nothing to consult here, you can test it |
I add the label Waiting for dev to follow this message #31637 (comment) |
Hello I tested this as of today. It's all good for me. I indeed encountered the same behavior in chrome as described but changing the name of the file did the tick. It's a go for me. |
Thank you Thomas!!! :-) @kpodemski We can merge |
.htaccess
and added it only touploads/.htaccess
, where all these uploads go.Research - user untrusted file uploads
How to test
Disclaimer
It behaves in a weird way sometimes. I am using XAMPP on Windows and either Apache or Chrome is caching it.
aaa.pdf
in my prestashop root. When I access it in browser, it downloads..htaccess
.aaa.pdf
again, it's still downloading instead of displaying.aaa.pdf
tobbb.pdf
and access it, it opens in browser.aaa.pdf
I still get it and it gets downloaded, even though it doesnt exist anymore. :-) 🤷♂️