Avoiding file types in uploading files

William_Ortiz · January 29, 2016, 7:51pm

Good day everyone,

I have a concern about uploading files to OJS

Recently, by mistake, a partner clicked on a .EXE in stead of a .PDF in some upload module… the outcome was a succeded upload to OJS. That make us wondering about the security implications and tried to fix it.

We take a look on “config.inc.php” and we found this:

[finfo]
mime_database_path = /etc/magic.mime

we look for the the and its content was as follows:

 # Magic local data for file(1) command.
 # Insert here your local magic data. Format is described in magic(5).

I add some rules I found in OJS forums and the final version of the magic.mime files is:

# Magic local data for file(1) command.
# Insert here your local magic data. Format is described in magic(5).

image/gif: .gif
image/jpeg, image/pjpeg: .jpg
image/png, image/x-png: .png
image/vnd.microsoft.icon, image/x-icon, image/ico: .ico
application/x-shockwave-flash: .swf
video/x-flv, application/x-flash-video, flv-application/octet-stream, applicati$
audio/mpeg: .mp3
audio/x-aiff: .aiff
audio/x-wav: .wav
video/mpeg: .mpg
video/quicktime: .mov
video/mp4: .mp4
text/javascript: .js

After some research we found some related info that says the fix might be related to this file:

lib/pkp/classes/core/String.inc.php

I looked for mime related lines and honestly I did not find any relevant data…

I tried to read the content of /usr/share/file/magic, but it is not a file, but a folder, and magic.mgc is a binary one.

So… Can anybody help me to know how to setup our OJS in order to just upload the types we do really need?

I appreciate your time and you answer.

Thank you in Advance.

asmecher · January 29, 2016, 11:01pm

Hi @William_Ortiz,

OJS doesn’t check what kinds of files you attach to submissions; there are situations where an .EXE file could be a valid attachment. OJS is protected from malicious uploads (e.g. .PHP scripts that could be run server-side) because access to those files is mediated by PHP, so that they can’t be invoked directly on the server. Client-side, users should treat downloaded files with the same care they would from any website.

Regards,
Alec Smecher
Public Knowledge Project Team

William_Ortiz · February 2, 2016, 5:19pm

Thank you for your quick reply.

Nonetheless, the final user of this OJS does not want to allow any .EXE being uploaded. I already told him what you explain above, but he does want to see on is very screen that is imposible upload such as type of files. Could you please give a hint on this? I will appreciate that.

Regards,

William.

asmecher · February 2, 2016, 6:02pm

Hi @William_Ortiz,

I think the best way to do that would probably be to modify lib/pkp/classes/file/FileManager.inc.php, in the uploadFile method, to add the new restriction.

Regards,
Alec Smecher
Public Knowledge Project Team

William_Ortiz · February 2, 2016, 6:51pm

Thank you @asmecher!

I’m gonna take a look over there and I will tell you what happened.

alirezaaa · December 9, 2016, 12:32pm

Hello @William_Ortiz,
did you come to a conclusion on this topic?
can you share your solution with me , if you have overcome this problem?

Best,
Ali

Gopur_Sodik · February 4, 2017, 5:37pm

I found it in pkpSiteSettingsForm.inc.php
I m want to create a function for author submission file type filter only docx or doc only, maybe anybody can help me

/**
	             * Uploads custom site stylesheet.
        	 */
        	function uploadSiteStyleSheet() {
        		import('classes.file.PublicFileManager');
        		$publicFileManager = new PublicFileManager();
        		$site =& Request::getSite();
        		if ($publicFileManager->uploadedFileExists('siteStyleSheet')) {
        			$type = $publicFileManager->getUploadedFileType('siteStyleSheet');
        			if ($type != 'text/plain' && $type != 'text/css') {
        				return false;
        			}

        			$uploadName = $site->getSiteStyleFilename();
        			if ($publicFileManager->uploadSiteFile('siteStyleSheet', $uploadName)) {
        				$siteDao =& DAORegistry::getDAO('SiteDAO');
        				$site->setOriginalStyleFilename($publicFileManager->getUploadedFileName('siteStyleSheet'));
        				$siteDao->updateObject($site);
        			}
        		}

    		return true;
    	}

asmecher · February 8, 2017, 7:15pm

Hi @Gopur_Sodik,

I may be able to provide guidance – but what is your intention in filtering file types?

Regards,
Alec Smecher
Public Knowledge Project Team

karnova · July 3, 2017, 1:31am

I also have the same situation where we need to restrict author to upload only doc/docx file for article submission. Have this issue been solved?
@William_Ortiz, did you come up with a solution? Thank you.

regards,
Daniel Siahaan

nesti9020 · October 25, 2017, 8:00pm

I also have the same situation where we need to restrict author to upload only doc/docx/pdf file for article submission. Have this issue been solved?

guilhermekami · February 1, 2018, 2:08pm

Hello, I solved this problem as follows,

Dir: \lib\pkp\classes\file\FileManager.inc.php
Line: 117

Methodo: function uploadFile($fileName, $destFileName);

if (move_uploaded_file($_FILES[$fileName]['tmp_name'], $destFileName)){    
				
    			$allowed 	=   array('gif','png' ,'jpg', 'pdf', 'doc', 'docx'); // Type Extension
    			$filename 	=   $_FILES[$fileName]['name'];
    			$ext 		=   strtolower(pathinfo($filename, PATHINFO_EXTENSION));    
		
    			if(!in_array($ext,$allowed) ) {
    				return false;    				
    			}else{    				
    				return $this->setMode($destFileName, FILE_MODE_MASK);    				
    			}   		    			
}

Vitaliy · February 1, 2018, 3:26pm

If you are concerning about security, think it is better to check MIME type.

guilhermekami · February 1, 2018, 3:54pm

Maybe you would tell me where I make this check, the MIME type?

Vitaliy · February 1, 2018, 5:14pm

https://stackoverflow.com/a/10456149/6711224