[Mahara-contributors] [Bug 1770535] Re: Able to upload a virus file to Files section
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1770535 Title: Able to upload a virus file to Files section Status in Mahara: Fix Committed Status in Mahara 17.04 series: Fix Released Status in Mahara 17.10 series: Fix Released Status in Mahara 18.04 series: Fix Released Status in Mahara 18.10 series: Fix Committed Bug description: If I try to upload the benign test virus file called "eicar.com" from https://www.ikarussecurity.com/support/virus-info/test-viruses/ Mahara spots it and alerts user it is a virus However, if I try to upload the eicar_com.zip file it lets me (which is bad) but understandable as the signature of the virus file can be hidden via compression. And a user could only be infected if they download the zip and extract it locally. But if I then press the 'Decompress' button it extracts the zip file and doesn't complain. This is bad as all one needs to do to upload a virus is to wrap it in a zip file and then extract it and now they can trick another user to click on the file directly. When importing a zip file via Importer and clamav is on it checks the files of the zip for viruses but when extracting a zip file in Files section it does not. We need to tidy this up so that uploading a zip file gets checked properly as well. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1770535/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
[Mahara-contributors] [Bug 1770535] Re: Able to upload a virus file to Files section
** Changed in: mahara/18.10 Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1770535 Title: Able to upload a virus file to Files section Status in Mahara: Fix Released Status in Mahara 17.04 series: Fix Released Status in Mahara 17.10 series: Fix Released Status in Mahara 18.04 series: Fix Released Status in Mahara 18.10 series: Fix Released Bug description: If I try to upload the benign test virus file called "eicar.com" from https://www.ikarussecurity.com/support/virus-info/test-viruses/ Mahara spots it and alerts user it is a virus However, if I try to upload the eicar_com.zip file it lets me (which is bad) but understandable as the signature of the virus file can be hidden via compression. And a user could only be infected if they download the zip and extract it locally. But if I then press the 'Decompress' button it extracts the zip file and doesn't complain. This is bad as all one needs to do to upload a virus is to wrap it in a zip file and then extract it and now they can trick another user to click on the file directly. When importing a zip file via Importer and clamav is on it checks the files of the zip for viruses but when extracting a zip file in Files section it does not. We need to tidy this up so that uploading a zip file gets checked properly as well. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1770535/+subscriptions ___ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp