Drupal Malicious file upload with filenames stating with dot

Drupal 8 core's file_save_upload() function does not strip the leading and trailing dot ('.') from filenames, like Drupal 7 did.

Users with the ability to upload files with any extension in conjunction with contributed modules may be able to use this to upload system files such as .htaccess in order to bypass protections afforded by Drupal's default .htaccess file.

After this fix, file_save_upload() now trims leading and trailing dots from filenames.

Published: May 15, 2024
Updated: Jun 27, 2024
GHSA: GHSA-58xv-7h9r-mx3c
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-434

Affected Software
References

Software	From	Fixed in
drupal / drupal	8.0.0	8.7.11
drupal / drupal	8.8.0	8.8.1

https://github.com/FriendsOfPHP/security-advisories/blob/master/drupal/drupal/2019-12-18-2.yaml
https://www.drupal.org/sa-core-2019-010

Vulnerability Database

289,599

Drupal Malicious file upload with filenames stating with dot