MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Loosened the filename validation on attachments 

- filenames without extensions were blocked for example
pull/195/head
iglocska 2013-11-05 13:48:39 +01:00
parent c95f8ea283
commit 2a28591bf7
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app/Controller/AttributesController.php
View File

@ -317,7 +317,7 @@ class AttributesController extends AppController {
if ($this->request->data['Attribute']['malware']) {
$this->request->data['Attribute']['type'] = "malware-sample";
// Validate filename
if (!preg_match('@^[\w-,\s,\.]+\.[A-Za-z0-9_]{2,4}$@', $filename)) throw new Exception ('Filename not allowed');
if (!preg_match('@^[\w\-. ]+$@', $filename)) throw new Exception ('Filename not allowed');
$this->request->data['Attribute']['value'] = $filename . '|' . hash_file('md5', $tmpfile->path); // TODO gives problems with bigger files
$sha256 = (hash_file('sha256', $tmpfile->path));
$sha1 = (hash_file('sha1', $tmpfile->path));
@ -325,7 +325,7 @@ class AttributesController extends AppController {
} else {
$this->request->data['Attribute']['type'] = "attachment";
// Validate filename
if (!preg_match('@^[\w-,\s,\.]+\.[A-Za-z0-9_]{2,4}$@', $filename)) throw new Exception ('Filename not allowed');
if (!preg_match('@^[\w\-. ]+$@', $filename)) throw new Exception ('Filename not allowed');
$this->request->data['Attribute']['value'] = $filename;
$this->request->data['Attribute']['to_ids'] = 0;
}