I created a Gist with my temporary workaround. There is an ongoing discussion in Slack containing references to pull requests. I thought about deleting all PersistentResources which are not referenced by any Asset or Thumbnail, but what if another extension references PersistentResources? I might delete files that are still referenced (depending on the foreign key definition). Since the isValid method already expects a PersistentResource, I think that the PersistentResource is already persisted before it has been validated. I looked at the FileTypeValidator class and I am wondering how I could avoid creating the PersistentResources if the validation fails. So if any validator adds an error (regardless if it is the captcha validator or the file validator) the file evil-sql.txt is still saved as a PersistentResource. evil-sql.txt file, where txt is not in the list of allowed extensions) and submit the form, the file is added to the PersistentResource table and only after that validated. The problem is: If I select an invalid file (i.e. The field has a FileTypeValidator with some allowedExtensions and the form also has a captcha field. I think the reason for these files is a public form with a FileUpload field. Luckily it does not work, because the SQL commands are never executed, but the files are kept anyway. Some of these files contain SQL commands, which look like an attempted SQL injection. I recently noticed that the PersistentResource table of one Neos installation conaints over 100000 rows.
0 Comments
Leave a Reply. |