Opened 18 years ago

Closed 18 years ago

Last modified 18 years ago

#3531 closed (invalid)

ImageField - possible script injection

Reported by: Piotr Maliński <riklaunim@…> Owned by: Adrian Holovaty
Component: Database layer (models, ORM) Version: dev
Severity: Keywords:
Cc: sam@… Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

ImageField field validates files using MIME which isn't 100% ok. It will allow uploading *py *php *pl or any other file extension when it will have image MIME signature at the beginning:

cat image.png code.php > upload_me.php

It's dangerous for shared hosting and other where media folders can execute scripts like PHP where <?PHP starts the code and makes the binary image part meaningless for the interpreter (could look like this).

Example: screenshot - 11.py uploaded as image. Check the extensions

Change History (4)

comment:1 by Malcolm Tredinnick, 18 years ago

Resolution: invalid
Status: newclosed

Thanks for the report (and the thinking behind it), however checking externsions is a not a good way of doing security. It is approach used by Microsoft in Windows and one of the reasons it is so easy to exploit that platform. Forcing people to use particular extensions (or any extension at all) for a file is not good practice. MIME types exist to avoid this very problem.

Uploading images (or other files) into a directory where the contents are automatically executed as CGI scripts is the real problem here. It just shouldn't be done (executing files that start with garbage and looking for meaningful strings in the middle of them is another problem). There is, in general, no 100% reliable way to check that something is just an image (or other type of file -- after all, we don't just allow image uploading if you use the FileField field, for example) and not *also* a file that might be mysteriously executed by an interpreter that processes any junk it is fed. It is quite possible that an image could legitimately contain the "magic string" that triggers execution by some language interpreter.

This is security problem, but the problem is on the side of the sever doing the uploads into an executable directory (or possibly serving files with an incorrect MIME type).

comment:2 by Piotr Maliński <riklaunim@…>, 18 years ago

Extension checking could be as extra feature - not as a replacement.

comment:3 by Chris Beaven, 18 years ago

Piotr, if you wanted to do something like that, it'd probably be better to try decoding it with PIL to see if it's a real image.

comment:4 by anonymous, 18 years ago

Cc: sam@… added
Note: See TracTickets for help on using tickets.
Back to Top