GHSA-7gwj-7fhm-vw4w: Drupal core unrestricted file upload

May 15, 2024

Drupal 8 core’s file_save_upload() function does not strip the leading and trailing dot (’.’) from filenames, like Drupal 7 did.

Users with the ability to upload files with any extension in conjunction with contributed modules may be able to use this to upload system files such as .htaccess in order to bypass protections afforded by Drupal’s default .htaccess file.

After this fix, file_save_upload() now trims leading and trailing dots from filenames.

References

github.com/FriendsOfPHP/security-advisories/blob/master/drupal/core/2019-12-18-2.yaml
github.com/advisories/GHSA-7gwj-7fhm-vw4w
github.com/drupal/core
www.drupal.org/sa-core-2019-010

Detect and mitigate GHSA-7gwj-7fhm-vw4w with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →