Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-4159: Validate asset extensions as well as types · omeka/omeka-s@2a7fb26

Unrestricted Upload of File with Dangerous Type in GitHub repository omeka/omeka-s prior to 4.0.3.

CVE
Open in Source
#vulnerability#web#git#php

Skip to content

    • Actions

      Automate any workflow

    • Packages

      Host and manage packages

    • Security

      Find and fix vulnerabilities

    • Codespaces

      Instant dev environments

    • Copilot

      Write better code with AI

    • Code review

      Manage code changes

    • Issues

      Plan and track work

    • Discussions

      Collaborate outside of code

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles
  • Pricing

Search code, repositories, users, issues, pull requests…

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

  • Notifications

  • Fork 109

  • Code

  • Issues 53

  • Pull requests 63

  • Actions

  • Projects

  • Wiki

  • Security

  • Insights

Commit

Permalink

Browse files

Browse the repository at this point in the history

Validate asset extensions as well as types

Adds a parallel configurable list of allowed asset extensions alongside the list of allowed types.

(cherry picked from commit 66e1294)

  • Loading branch information

Showing 2 changed files with 8 additions and 1 deletion.

      • module.config.php
      • AssetAdapter.php

7 changes: 7 additions & 0 deletions application/config/module.config.php

Expand Up

@@ -47,6 +47,13 @@

'image/gif’,

'image/webp’,

],

‘allowed_extensions’ => [

'jpeg’,

'jpg’,

'png’,

'gif’,

'webp’,

],

],

‘permissions’ => [

‘acl_resources’ => [

Expand Down

2 changes: 1 addition & 1 deletion application/src/Api/Adapter/AssetAdapter.php

Expand Up

@@ -70,7 +70,7 @@ public function hydrate(Request $request, EntityInterface $entity, ErrorStore $e

$tempFile->setSourceName($fileData[‘file’][‘name’]);

$config = $this->getServiceLocator()->get(‘Config’);

$validator = new Validator($config[‘api_assets’][‘allowed_media_types’]);

$validator = new Validator($config[‘api_assets’][‘allowed_media_types’], $config[‘api_assets’][‘allowed_extensions’]);

if (!$validator->validate($tempFile, $errorStore)) {

return;

}

Expand Down

0 comments on commit 2a7fb26

Please sign in to comment.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE