projects / civicrm-core.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 939a3cd) | patch
(dev/core#1044) Extension/MIME matching should be case insensitive
authorTim Otten <totten@civicrm.org>
Fri, 14 Jun 2019 20:57:55 +0000 (16:57 -0400)
committerTim Otten <totten@civicrm.org>
Fri, 14 Jun 2019 20:57:55 +0000 (16:57 -0400)
commit9a0e703964ca3aa30e0e3fb6674d13a531c88cb0
tree13599d1a5d3d0d8cc1fcac42b8abeae3a527e2f9tree | snapshot (zip tar.gz)
parent939a3cd18737d29729b89b62326214319318994acommit | diff
(dev/core#1044) Extension/MIME matching should be case insensitive

Overview
--------

For CIVI-SA-2019-15, the delivery of file attachments was tightened to
ensure that the file-extension and mime-type were in agreement.  However,
the check yields a false-negative in the common case where the filename has
been capitalized.  It should treat `foo.jpg`, `foo.JPG`, and `FOO.JPG` as
equally valid.

Before
------

* When viewing a contact profile image ending with `.JPG`, there is an error
  message, `Supplied mime-type does not match file extension`.

After
-----

* When viewing a contact profile image ending with `.JPG`, the image is
  delivered.

Comments
--------

See also:

* https://civicrm.org/advisory/civi-sa-2019-15-xss-via-forged-mime-type
* https://lab.civicrm.org/dev/core/issues/1044
CRM/Core/Page/File.php diff | blob | blame | history