File Upload Plugin v6.0 Security Released
Please Support:
CakePHP File Upload Plugin
Info:
- Version: 6.1.1
- Requirements: CakePHP 1.x, PHP
- Docs: CakePHP File Upload Plugin API
- Article: CakePHP File Upload Plugin Discussion and Examples
Watch:
Get it:
- Download Now
- git clone git://github.com/webtechnick/CakePHP-FileUpload-Plugin file_upload
What's new in 6.0
FileUploadPlugin v6.0 is a security release rather than a features release. There are two major changes that you should be aware of.
First, a bug fix -- if a fileNameCallback function returns false the upload will be halted as documented.
Second, I've changed the way the plugin validates a file being uploaded. Previously the uploader only checks the mime type of a file being uploaded. Now the uploader checks the extension as well as the mime type. Both must match or a validation error occurs and the upload halted. This fixes a potential hole that would allow an attacker to alter the mime type of a file to pass in a malicious file with its extension intact. This is an issue as most servers decide how to execute said file by its extension (not mime type).
This new change required a change in how the allowedTypes array is constructed. Previously, allowedTypes was a single layer array full of mime types. Now its a multi dimensional array with extension as its key and their linked mime types as an array.
Some Examples
Example Setting With a Controller:
- //validate only image/jpeg and image/pjpeg mime types with ext .jpg
- //validate only image/png mime type file with ext .png
- //validate all MIME types for ext .gif
- //validate all MIME types for ext .swf
- //validate only application/pdf for ext .pdf
- 'gif',
- 'swf',
- ));
Sample In a Behavior
- //validate only image/jpeg and image/pjpeg mime types with ext .jpg
- //validate only image/png mime type file with ext .png
- //validate all MIME types for ext .gif
- //validate all MIME types for ext .swf
- //validate only application/pdf for ext .pdf
- 'gif',
- 'swf',
- )
- )
- );
The default types are the same:
- ),
Included in the newest release is the Migration Guide from 5.0 to 6.0. I encourage you to read over that document as well.
Enjoy the changes,
Nick