HackerOne: RTL override symbol not stripped from file names

2013-11-07T19:12:41
ID H1:298
Type hackerone
Reporter mathias
Modified 2015-05-28T04:49:32

Description

Any U+202E RIGHT-TO-LEFT OVERRIDE (and similar) symbols in file names of uploaded files are not stripped from the file name, causing potentially malicious executables to look like harmless images, for example. This might trick HackerOne panel members into accidentally opening evil h4x0r filez.

I’ve attached two files:

  • one is named insane_in_the_cort[RLO]3pm.exe, which gets rendered as insane_in_the_cortexe.mp3, making it look like a harmless mp3 file of a well-known Cypress Hill song.
  • another is named po[RLO]gnp.app, which gets rendered as poppa.png, as if it was just a PNG image.

I’ve also attached a screenshot showing what it looks like after uploading the files.