Drupal Malicious file upload with filenames stating with dot

2024-05-1520:55:22

Google

osv.dev

drupal 8

file upload

vulnerability

patch

7.1 High

AI Score

Confidence

Low

JSON

Drupal 8 core’s file_save_upload() function does not strip the leading and trailing dot (‘.’) from filenames, like Drupal 7 did.

Users with the ability to upload files with any extension in conjunction with contributed modules may be able to use this to upload system files such as .htaccess in order to bypass protections afforded by Drupal’s default .htaccess file.

After this fix, file_save_upload() now trims leading and trailing dots from filenames.

CPENameOperatorVersion
drupal/drupaleq8.5.0
drupal/drupaleq8.4.0-beta1
drupal/drupaleq8.3.0-rc2
drupal/drupaleq8.2.0-rc2
drupal/drupaleq8.6.0
drupal/drupaleq8.6.0-beta2
drupal/drupaleq8.6.5
drupal/drupaleq8.4.6
drupal/drupaleq8.1.3
drupal/drupaleq8.5.5

Name	Operator	Version
drupal/drupal	eq	8.5.0
drupal/drupal	eq	8.4.0-beta1
drupal/drupal	eq	8.3.0-rc2
drupal/drupal	eq	8.2.0-rc2
drupal/drupal	eq	8.6.0
drupal/drupal	eq	8.6.0-beta2
drupal/drupal	eq	8.6.5
drupal/drupal	eq	8.4.6
drupal/drupal	eq	8.1.3
drupal/drupal	eq	8.5.5

Rows per page:

1-10 of 1211

References

github.com/drupal/drupal

github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2019-12-18-2.yaml

www.drupal.org/sa-core-2019-010

7.1 High

AI Score

Confidence

Low

JSON