Details
-
Improvement
-
Resolution: Done
-
Medium
-
2.5.31, 4.5.0, 4.6.0-beta1, 3.3.33
-
None
-
None
Description
The file upload blocklist includes file types that are not allowed to be uploaded.
https://github.com/ibexa/core/blob/main/src/bundle/Core/Resources/config/default_settings.yml#L111
Some variants of PHP file types are not included by default, we should add them: php4, php5, phps
v2.5: https://github.com/ezsystems/ezpublish-kernel/pull/3153 (merged)
>= v3.3: https://github.com/ezsystems/ezplatform-kernel/pull/379 (merged)
We should also document this blocklist on our security checklist page.
PR: https://github.com/ezsystems/developer-documentation/pull/2059 (merged)