Good day everyone,
I have a concern about uploading files to OJS
Recently, by mistake, a partner clicked on a .EXE in stead of a .PDF in some upload module… the outcome was a succeded upload to OJS. That make us wondering about the security implications and tried to fix it.
We take a look on “config.inc.php” and we found this:
[finfo] mime_database_path = /etc/magic.mime
we look for the the and its content was as follows:
# Magic local data for file(1) command. # Insert here your local magic data. Format is described in magic(5).
I add some rules I found in OJS forums and the final version of the magic.mime files is:
After some research we found some related info that says the fix might be related to this file:
I looked for mime related lines and honestly I did not find any relevant data…
I tried to read the content of /usr/share/file/magic, but it is not a file, but a folder, and magic.mgc is a binary one.
So… Can anybody help me to know how to setup our OJS in order to just upload the types we do really need?
I appreciate your time and you answer.
Thank you in Advance.