Hi there,
I recently noticed that the PersistentResource
table of one Neos installation conaints over 100000 rows. Some of these files contain SQL commands, which look like an attempted SQL injection. Luckily it does not work, because the SQL commands are never executed, but the files are kept anyway.
I think the reason for these files is a public form with a FileUpload field. The field has a FileTypeValidator
with some allowedExtensions
and the form also has a captcha field.
The problem is: If I select an invalid file (i.e. evil-sql.txt file, where txt is not in the list of allowed extensions) and submit the form, the file is added to the PersistentResource table and only after that validated. So if any validator adds an error (regardless if it is the captcha validator or the file validator) the file evil-sql.txt is still saved as a PersistentResource
.
I looked at the FileTypeValidator
class and I am wondering how I could avoid creating the PersistentResources
if the validation fails. Since the isValid
method already expects a PersistentResource
, I think that the PersistentResource
is already persisted before it has been validated.
Is this a “by design” issue?
Can I work around this problem?
I thought about deleting all PersistentResources which are not referenced by any Asset or Thumbnail, but what if another extension references PersistentResources? I might delete files that are still referenced (depending on the foreign key definition).
Regards
Leif