forbidden_extensions in archives check in JInputFilter:: isSafeFile doesn't work as expected

[Hoffi1]

I talk about joomla/filter/input.php (516ff) of Joomla 3.4.5.

In this block an archive file is completely parsed using strstr() against character sequences like ".php" or ".py". This does not meet the intention to find script files within archives because
(a) There is a good chance that the compressor producing the archive file generates output like ".py" or ".php". So we have a false positive just as result of compression.
(b) Script files within e.g. a tgz file can't be seen this way because files are first streamed into a single tar file which is then compressed.

Because these checks are new in J! 3.4 and most extensions doesn't switch off them I suggest to deactivate this test by default by setting 'fobidden_ext_in_content' => false (please note the typo 😉 ) to reduce support calls. Alternatively a really working check would be good, but I've no idea how to write one except extracting all the archives and check the uncompressed content - which may slow down the server and cause script timeouts.

This corresponds to my post http://forum.joomla.org/viewtopic.php?f=715&t=894174&p=3338980#p3338980 on The Joomla! Forum.

[tkuschel]

I've this issue as well with uploading a zip-file; which makes no sense to get scanned with plain data through the zip. I got a false positive with the '.pl' inside the zip-code of a 62MB file. The probability to get a false positve e.g. a substring with "pl." is 256^3 => (1:16777216) 62MB --> this is about 370%; with all the other extensions together (php,..inc,pl,cgi,fcgi,java,jar,py): the probability increases to 2/(256^3)+ 4/(256^4) ca. 1 : 8 300 000; with my 62 MB, the probability is >7 !! I.e. with a file of 100 MB, this is almost every time a false positive.
Because the get of the class JInputFiles calls the JFilterInput::isSafeFile() without the possibilty to unset any options, I had to change my uploading extension to the unsecure 'raw' in $this->input->files->get('filename','','raw'); instead of ->get('filename')

• very annoying

not only the typo "fobidden" , it makes no sense to scan through ".php" than with ".phps", ".php5", ...
the ".php" is part of ".phps" as well as ".php5", ".php3", ".php4" and returns false.
Thomas

[zaewin]

Just wanted to login and confirm this. I've tried uploading two zip files, one from a client (a SCORM package) and one of my own making containing some .mp4 files. Both are well over 100Mb and both fail when strstr() finds .py and .pl in them even though there are no such files in the archive. This is on Joomla 3.6.2. Any idea when we might get a patch? I've set fobidden_ext_in_content to false in order to have a functioning media manager.

[tkuschel]

Are there any updates? @

[Quy]

Duplicate #15563

[joomla-cms-bot]

Set to "closed" on behalf of @franz-wohlkoenig by The JTracker Application at issues.joomla.org/joomla-cms/8197

[ghost]

closed as duplicate Report #15563. Thanks @Quy