[CVE-2020-9309] Require MimeUploadValidator on userformis' File Uploa…

…d field
silverstripe · Jul 12, 2020 · 27228d1 · 27228d1
1 parent 0c09eec
commit 27228d1
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 2 deletions.
diff --git a/_config/mimevalidator.yml b/_config/mimevalidator.yml
@@ -0,0 +1,6 @@
+---
+Name: mimeuploadvalidator-userforms
+---
+SilverStripe\Core\Injector\Injector:
+  SilverStripe\Assets\Upload_Validator.userforms:
+    class: SilverStripe\MimeValidator\MimeUploadValidator
diff --git a/code/Model/EditableFormField/EditableFileField.php b/code/Model/EditableFormField/EditableFileField.php
@@ -4,7 +4,9 @@
 
 use SilverStripe\Assets\File;
 use SilverStripe\Assets\Folder;
+use SilverStripe\Assets\Upload_Validator;
 use SilverStripe\Core\Config\Config;
+use SilverStripe\Core\Injector\Injector;
 use SilverStripe\Forms\FileField;
 use SilverStripe\Forms\LiteralField;
 use SilverStripe\Forms\NumericField;
@@ -96,11 +98,14 @@ public function validate()
         return $result;
     }
 
+
+
     public function getFormField()
     {
         $field = FileField::create($this->Name, $this->Title ?: false)
             ->setFieldHolderTemplate(EditableFormField::class . '_holder')
-            ->setTemplate(__CLASS__);
+            ->setTemplate(__CLASS__)
+            ->setValidator(Injector::inst()->get(Upload_Validator::class . '.userforms'));
 
         $field->setFieldHolderTemplate(EditableFormField::class . '_holder')
             ->setTemplate(__CLASS__);

diff --git a/composer.json b/composer.json
@@ -33,7 +33,8 @@
         "silverstripe/cms": "^4.0",
         "symbiote/silverstripe-gridfieldextensions": "^3.1",
         "silverstripe/segment-field": "^2.0",
-        "silverstripe/versioned": "^1.0"
+        "silverstripe/versioned": "^1.0",
+        "silverstripe/mimevalidator": "^2.0"
     },
     "require-dev": {
         "phpunit/phpunit": "^5.7",