Feature Wiki

Information about planned and released features

Tabs

MIME Type Checks for File Upload

Page Overview

1 Initial Problem
2 Conceptual Summary
3 Technical Information
4 Privacy Information
5 Contact
6 Funding
7 Discussion
8 Implementation

1 Initial Problem

ILIAS is not checking the actual file content when files are uploaded. For instance, you can upload SVGs that have a jpg file extension in "Personal Data and Profile". This even works on docu.ilias.de. Uploading postscript files does not give you a thumbnail there, probably because it's lacking GhostScript, but it does in our ILIAS installation where GhostScript is apparently installed.

Security issues with PostScript/GhostScript (this is by design): https://searchsecurity.techtarget.com/tip/More-Ghostscript-vulnerabilities-more-PostScript-problems

Security issues with SVGs (this is due to the complexity of the SVG file format): https://imagetragick.com/

PostScript and SVGs have powerful features, including loading content from remote locations and their interpreters frequently suffer from security issues. Given that it says "Allowed file types: .jpg, .jpeg, .png, .gif" on the upload page, only valid JPEGs, PNGs and GIFs should be interpreted.

2 Conceptual Summary

ILIAS should provide a sane way (i.e. a module or service) for handling file uploads that might be used by plugins, too, providing basic functionality like storage and MIME-Type validation and use this module or service on every file upload instance provided (these are plenty). Test cases should be implemented so regressions can be easily spotted. OWASP:Unrestricted_File_Upload should be considered.

3 Technical Information

{The maintainer has to provide necessary technical information, e.g. dependencies on other ILIAS components, necessary modifications in general services/architecture, potential security or performance issues.}

4 Privacy Information

In implementing this feature, no additional personal data has to be processed.

5 Contact

Author of the Request: Gerth, Michael [@LLZ_Uni-Halle] und Pahlow, Felix [Felix@ITZ]
Maintainer:
Implementation of the feature is done by:

6 Funding

If you are interest in funding this feature, please add your name and institution to this list.

7 Discussion

This FR has been reported as Mantis:26989 where it has been classified as not being a bug.
This FR has been reported to the Security Mailinglist where it has been classified as "not a critical issue".

8 Implementation

{The maintainer has to give a description of the final implementation and add screenshots if possible.}

Test Cases

Test cases completed at {date} by {user}

{Test case number linked to Testrail} : {test case title}

Approval

Approved at {date} by {user}.

Last edited: 8. Jan 2020, 14:59, Pahlow, Felix [Felix@ITZ]