Good day everyone,
I have a concern about uploading files to OJS
Recently, by mistake, a partner clicked on a .EXE in stead of a .PDF in some upload module… the outcome was a succeded upload to OJS. That make us wondering about the security implications and tried to fix it.
We take a look on “config.inc.php” and we found this:
[finfo]
mime_database_path = /etc/magic.mime
we look for the the and its content was as follows:
# Magic local data for file(1) command.
# Insert here your local magic data. Format is described in magic(5).
I add some rules I found in OJS forums and the final version of the magic.mime files is:
# Magic local data for file(1) command.
# Insert here your local magic data. Format is described in magic(5).
image/gif: .gif
image/jpeg, image/pjpeg: .jpg
image/png, image/x-png: .png
image/vnd.microsoft.icon, image/x-icon, image/ico: .ico
application/x-shockwave-flash: .swf
video/x-flv, application/x-flash-video, flv-application/octet-stream, applicati$
audio/mpeg: .mp3
audio/x-aiff: .aiff
audio/x-wav: .wav
video/mpeg: .mpg
video/quicktime: .mov
video/mp4: .mp4
text/javascript: .js
After some research we found some related info that says the fix might be related to this file:
lib/pkp/classes/core/String.inc.php
I looked for mime related lines and honestly I did not find any relevant data…
I tried to read the content of /usr/share/file/magic, but it is not a file, but a folder, and magic.mgc is a binary one.
So… Can anybody help me to know how to setup our OJS in order to just upload the types we do really need?
I appreciate your time and you answer.
Thank you in Advance.