Home › Forums › Add-ons › Gallery Field › Front end form file upload security review…
I have a front end form on my site for which I use acf_form. This form allows registered users to upload images in a gallery filed. I am limiting the accepted files to ‘jpeg,jpg,gif,png’ and have placed a 2mb file size limit on it.
I’ve been asked to conduct a security review on the site and I am looking at how secure this process is, the requirements I need to meet are as follows:
1. The uploaded file name must be checked server-side in order to reject file names:
– That contain a “null byte” (%00)
– That begin with a “.” (hidden file on Unix), especially “.ht” (configuration override file)
– That contain “/” “\” “..” or any forbidden filename characters that are equal to filenames used by web server or application server configuration (crossdomain.xml, clientacesspolivy.xml, web.xml, …)
2. The uploaded file extension must be validated server-side, following a “white list” approach, where only a limited list of file extension is accepted. File extension must not correspond to an executable file or script. The extension must also be taken into account starting from the end of the file name and not by the first character “.” from the beginning of the name
3. The MIME type of upload file must be validated server-side with a white list approach. File with multiple MIME parts should not be accepted.
4. The size of uploaded files must be checked during transfer or before saving them to the hard drive, and must not exceed a certain limit set by the available disk space and the number of files that can be downloaded.
Of the above requirements, I am fairly confident that 1, 2 and 4 are met, however I don’t think that ACF checks the MIME type of the uploaded file? Am I correct? I have just tried by renaming a .exe file to a .jpg and I got it to upload fine which is slightly concerning.
Thanks in advance.
Yes, you are correct. ACF only looks at the file extension and not the file’s mime type. This should be submitted as a new support ticket here https://support.advancedcustomfields.com/new-ticket/
Do you mean that I should send a feature request via the support form for this in order to get the requirement assessed? If you’re saying that the Mime type is not currently checked, I’m not sure what raising a support ticket would achieve otherwise?
My personal opinion is that this is a bug because it is a security issue that should be addressed. But I’m not the developer and the only reason I’m suggesting it is to bring it to the attention of the dev.
It should be possible, using filters, to alter the checks and check the mime time yourself. Although I’m not 100% sure of the details for doing so. https://www.advancedcustomfields.com/resources/acf-validate_value/, or maybe https://www.advancedcustomfields.com/resources/acf-upload_prefilter/, or maybe both.
Understood John! Appreciate your input, I have raised a support ticket and have had a response from Eliot who has also suggested using the filters to check the uploads so once I have completed my review, this will probably be on my list of actions!
You must be logged in to reply to this topic.
Welcome to the Advanced Custom Fields community forum.
Browse through ideas, snippets of code, questions and answers between fellow ACF users
Helping others is a great way to earn karma, gain badges and help ACF development!
Are you building WordPress sites with ACF and @BeaverBuilder, and wanted to use your ACF Blocks in both the block editor and Beaver Builder?— Advanced Custom Fields (@wp_acf) May 10, 2023
The BB team recently added support for using ACF Blocks in Beaver Builder. Check it out 👇https://t.co/UalEIa5aQi
© 2023 Advanced Custom Fields.