From d459c51adae678de2477c3fd7c6f115ece4962db Mon Sep 17 00:00:00 2001 From: Maxime Rainville Date: Mon, 11 May 2020 13:55:33 +1200 Subject: [PATCH] [CVE-2020-9309] Require MimeUploadValidator on userformis' File Upload field --- _config/mimevalidator.yml | 6 ++++++ code/Model/EditableFormField/EditableFileField.php | 7 ++++++- composer.json | 3 ++- 3 files changed, 14 insertions(+), 2 deletions(-) create mode 100644 _config/mimevalidator.yml diff --git a/_config/mimevalidator.yml b/_config/mimevalidator.yml new file mode 100644 index 000000000..75e2e22f9 --- /dev/null +++ b/_config/mimevalidator.yml @@ -0,0 +1,6 @@ +--- +Name: mimeuploadvalidator-userforms +--- +SilverStripe\Core\Injector\Injector: + SilverStripe\Assets\Upload_Validator.userforms: + class: SilverStripe\MimeValidator\MimeUploadValidator diff --git a/code/Model/EditableFormField/EditableFileField.php b/code/Model/EditableFormField/EditableFileField.php index d4810f1ea..a2233954e 100755 --- a/code/Model/EditableFormField/EditableFileField.php +++ b/code/Model/EditableFormField/EditableFileField.php @@ -4,10 +4,12 @@ use SilverStripe\Assets\File; use SilverStripe\Assets\Folder; +use SilverStripe\Assets\Upload_Validator; use SilverStripe\Core\Config\Config; use SilverStripe\Core\Convert; use SilverStripe\Forms\FieldList; use SilverStripe\Forms\FileField; +use SilverStripe\Core\Injector\Injector; use SilverStripe\Forms\LiteralField; use SilverStripe\Forms\NumericField; use SilverStripe\Forms\TreeDropdownField; @@ -192,11 +194,14 @@ public function validate() return $result; } + + public function getFormField() { $field = FileField::create($this->Name, $this->Title ?: false) ->setFieldHolderTemplate(EditableFormField::class . '_holder') - ->setTemplate(__CLASS__); + ->setTemplate(__CLASS__) + ->setValidator(Injector::inst()->get(Upload_Validator::class . '.userforms')); $field->setFieldHolderTemplate(EditableFormField::class . '_holder') ->setTemplate(__CLASS__); diff --git a/composer.json b/composer.json index 1554126cd..c3db16a59 100644 --- a/composer.json +++ b/composer.json @@ -34,7 +34,8 @@ "silverstripe/cms": "^4.6", "symbiote/silverstripe-gridfieldextensions": "^3.1", "silverstripe/segment-field": "^2.0", - "silverstripe/versioned": "^1.0" + "silverstripe/versioned": "^1.0", + "silverstripe/mimevalidator": "^2.0" }, "require-dev": { "phpunit/phpunit": "^5.7",