Problem/Motivation
Following discussion with the Drupal Security Team, it was agreed that this could be handled in a public "security improvements" issue.
At present Drupal's file API allows filenames to be created which could be dangerous if they're not handled safely. This is not a directly exploitable vulnerability, but improvements could be made that would reduce the likelihood of filenames being used as part of a chained attack.
Command injection is a specific concern here.
https://owasp.org/www-community/attacks/Command_Injection
https://portswigger.net/web-security/os-command-injection
Steps to reproduce
In some cases, browsers will escape/encode certain characters in a normal file upload, but it may be possible to avoid that escaping using a tool like Burp Suite, or perhaps via web services (rest / jsonapi).
An example of a dangerous filename which I believe a normal file field will currently accept is:
foo";echo `whoami`; #.txt
A fairly recent improvement to filename handling (which we could build upon) is described in this Change Record:
https://www.drupal.org/node/2972665
Proposed resolution
One or more of:
- Always remove/replace specific characters that may be used for command injection e.g.
" ; # |`and if possible'&. - Disallow spaces by default in filenames (makes it quite a lot harder to achieve meaningful command injection).
- Review defaults for filename transliteration to make command injection as hard as possible.
Remaining tasks
- Implement improvements.
- Add tests (e.g. in \Drupal\Tests\file\Functional\SaveUploadTest ).
- Ensure that improvements also apply to web services and other uses of the API if possible.
User interface changes
Default filename handling may change; most noticeable changes for users may include removal/substitution of commonly used characters such as spaces, apostrophes and ampersands.
Introduced terminology
n/a?
API changes
Changes to filename handling may represent an API change.
Data model changes
n/a?
Release notes snippet
tbc