card-mod-script 0.13.4 → 0.14.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/assets/script/decko/components.js.coffee +3 -0
- data/assets/script/decko/decko.js.coffee +0 -15
- data/assets/script/decko/editor.js.coffee +3 -1
- data/assets/script/decko/filter.js.coffee +13 -6
- data/assets/script/decko/mod.js.coffee +2 -8
- data/assets/script/{script_pointer_config.js.coffee → decko/pointer_config.js.coffee} +1 -2
- data/assets/script/{script_pointer_list_editor.js.coffee → decko/pointer_list_editor.js.coffee} +0 -0
- data/assets/script/decko/slot.js.coffee +2 -2
- data/assets/script/decko/slot_ready.js.coffee +1 -0
- data/assets/script/decko/slotter.js.coffee +23 -31
- data/assets/script/decko/type_editor.js.coffee +21 -0
- data/assets/script/decko/upload.js.coffee +12 -5
- data/assets/script/manifest.yml +15 -2
- data/set/abstract/00_script.rb +30 -31
- data/set/abstract/01_asset_script.rb +0 -16
- data/set/abstract/{script_asset_list.rb → script_group.rb} +12 -13
- data/set/all/head_javascript.rb +4 -5
- data/set/right/script.rb +1 -14
- data/set/type/local_script_folder_group.rb +2 -2
- data/set/type/local_script_manifest_group.rb +1 -1
- data/set/type_plus_right/mod/script.rb +56 -0
- data/set/type_plus_right/set/script.rb +7 -0
- data/vendor/jquery_file_upload/LICENSE.txt +11 -12
- data/vendor/jquery_file_upload/README.md +189 -72
- data/vendor/jquery_file_upload/SECURITY.md +227 -0
- data/vendor/jquery_file_upload/VULNERABILITIES.md +118 -0
- data/vendor/jquery_file_upload/cors/postmessage.html +68 -58
- data/vendor/jquery_file_upload/cors/result.html +12 -10
- data/vendor/jquery_file_upload/css/jquery.fileupload-ui.css +24 -13
- data/vendor/jquery_file_upload/css/jquery.fileupload.css +3 -4
- data/vendor/jquery_file_upload/docker-compose.yml +55 -0
- data/vendor/jquery_file_upload/index.html +332 -230
- data/vendor/jquery_file_upload/js/cors/jquery.postmessage-transport.js +109 -109
- data/vendor/jquery_file_upload/js/cors/jquery.xdr-transport.js +81 -73
- data/vendor/jquery_file_upload/js/demo.js +75 -0
- data/vendor/jquery_file_upload/js/jquery.fileupload-audio.js +82 -94
- data/vendor/jquery_file_upload/js/jquery.fileupload-image.js +321 -300
- data/vendor/jquery_file_upload/js/jquery.fileupload-process.js +138 -146
- data/vendor/jquery_file_upload/js/jquery.fileupload-ui.js +737 -692
- data/vendor/jquery_file_upload/js/jquery.fileupload-validate.js +91 -97
- data/vendor/jquery_file_upload/js/jquery.fileupload-video.js +82 -94
- data/vendor/jquery_file_upload/js/jquery.fileupload.js +1569 -1451
- data/vendor/jquery_file_upload/js/jquery.iframe-transport.js +208 -205
- data/vendor/jquery_file_upload/js/vendor/jquery.ui.widget.js +397 -340
- data/vendor/jquery_file_upload/package-lock.json +6853 -0
- data/vendor/jquery_file_upload/package.json +71 -10
- data/vendor/jquery_file_upload/server/gae-python/app.yaml +11 -10
- data/vendor/jquery_file_upload/server/php/Dockerfile +23 -17
- data/vendor/jquery_file_upload/server/php/UploadHandler.php +206 -137
- data/vendor/jquery_file_upload/server/php/php.ini +5 -0
- data/vendor/jquery_file_upload/test/index.html +36 -159
- data/vendor/jquery_file_upload/test/unit.js +989 -0
- data/vendor/jquery_file_upload/test/vendor/chai.js +10854 -0
- data/vendor/jquery_file_upload/test/vendor/mocha.css +325 -0
- data/vendor/jquery_file_upload/test/vendor/mocha.js +18178 -0
- data/vendor/jquery_file_upload/wdio/LICENSE.txt +20 -0
- data/vendor/jquery_file_upload/wdio/assets/black+white-3x2.jpg +0 -0
- data/vendor/jquery_file_upload/wdio/assets/black+white-60x40.gif +0 -0
- data/vendor/jquery_file_upload/wdio/conf/chrome.js +40 -0
- data/vendor/jquery_file_upload/wdio/conf/firefox.js +25 -0
- data/vendor/jquery_file_upload/wdio/hooks/index.js +36 -0
- data/vendor/jquery_file_upload/wdio/test/pages/file-upload.js +79 -0
- data/vendor/jquery_file_upload/wdio/test/specs/01-file-upload.js +25 -0
- data/vendor/jquery_file_upload/wdio/wdio.conf.js +4 -0
- metadata +34 -52
- data/file/mod_script_script_decko_machine_output/file.js +0 -2685
- data/file/mod_script_script_jquery_machine_output/file.js +0 -12926
- data/lib/javascript/script_html5shiv_printshiv.js +0 -1
- data/set/self/script_html5shiv_printshiv.rb +0 -11
- data/set/self/script_mods.rb +0 -1
- data/set/type/mod_script_assets.rb +0 -21
- data/vendor/jquery_file_upload/CONTRIBUTING.md +0 -15
- data/vendor/jquery_file_upload/angularjs.html +0 -211
- data/vendor/jquery_file_upload/basic-plus.html +0 -226
- data/vendor/jquery_file_upload/basic.html +0 -136
- data/vendor/jquery_file_upload/bower-version-update.js +0 -16
- data/vendor/jquery_file_upload/bower.json +0 -64
- data/vendor/jquery_file_upload/css/jquery-ui-demo-ie8.css +0 -21
- data/vendor/jquery_file_upload/css/jquery-ui-demo.css +0 -67
- data/vendor/jquery_file_upload/css/style.css +0 -15
- data/vendor/jquery_file_upload/jquery-ui.html +0 -252
- data/vendor/jquery_file_upload/js/app.js +0 -101
- data/vendor/jquery_file_upload/js/jquery.fileupload-angular.js +0 -437
- data/vendor/jquery_file_upload/js/jquery.fileupload-jquery-ui.js +0 -161
- data/vendor/jquery_file_upload/js/main.js +0 -75
- data/vendor/jquery_file_upload/server/gae-go/app/main.go +0 -361
- data/vendor/jquery_file_upload/server/gae-go/app.yaml +0 -12
- data/vendor/jquery_file_upload/server/gae-go/static/favicon.ico +0 -0
- data/vendor/jquery_file_upload/server/gae-go/static/robots.txt +0 -2
- data/vendor/jquery_file_upload/server/php/docker-compose.yml +0 -9
- data/vendor/jquery_file_upload/test/test.js +0 -1292
@@ -1,107 +1,224 @@
|
|
1
|
-
# jQuery File Upload
|
2
|
-
|
3
|
-
##
|
4
|
-
|
1
|
+
# jQuery File Upload
|
2
|
+
|
3
|
+
## Contents
|
4
|
+
|
5
|
+
- [Description](#description)
|
6
|
+
- [Demo](#demo)
|
7
|
+
- [Features](#features)
|
8
|
+
- [Security](#security)
|
9
|
+
- [Setup](#setup)
|
10
|
+
- [Requirements](#requirements)
|
11
|
+
- [Mandatory requirements](#mandatory-requirements)
|
12
|
+
- [Optional requirements](#optional-requirements)
|
13
|
+
- [Cross-domain requirements](#cross-domain-requirements)
|
14
|
+
- [Browsers](#browsers)
|
15
|
+
- [Desktop browsers](#desktop-browsers)
|
16
|
+
- [Mobile browsers](#mobile-browsers)
|
17
|
+
- [Extended browser support information](#extended-browser-support-information)
|
18
|
+
- [Testing](#testing)
|
19
|
+
- [Support](#support)
|
20
|
+
- [License](#license)
|
5
21
|
|
6
22
|
## Description
|
7
|
-
File Upload widget with multiple file selection, drag&drop support, progress bars, validation and preview images, audio and video for jQuery.
|
8
|
-
Supports cross-domain, chunked and resumable file uploads and client-side image resizing. Works with any server-side platform (PHP, Python, Ruby on Rails, Java, Node.js, Go etc.) that supports standard HTML form file uploads.
|
9
23
|
|
10
|
-
|
11
|
-
|
12
|
-
|
24
|
+
> File Upload widget with multiple file selection, drag&drop support, progress
|
25
|
+
> bars, validation and preview images, audio and video for jQuery.
|
26
|
+
> Supports cross-domain, chunked and resumable file uploads and client-side
|
27
|
+
> image resizing.
|
28
|
+
> Works with any server-side platform (PHP, Python, Ruby on Rails, Java,
|
29
|
+
> Node.js, Go etc.) that supports standard HTML form file uploads.
|
30
|
+
|
31
|
+
## Demo
|
32
|
+
|
33
|
+
[Demo File Upload](https://blueimp.github.io/jQuery-File-Upload/)
|
13
34
|
|
14
35
|
## Features
|
15
|
-
|
36
|
+
|
37
|
+
- **Multiple file upload:**
|
16
38
|
Allows to select multiple files at once and upload them simultaneously.
|
17
|
-
|
18
|
-
Allows to upload files by dragging them from your desktop or
|
19
|
-
|
20
|
-
|
21
|
-
|
39
|
+
- **Drag & Drop support:**
|
40
|
+
Allows to upload files by dragging them from your desktop or file manager and
|
41
|
+
dropping them on your browser window.
|
42
|
+
- **Upload progress bar:**
|
43
|
+
Shows a progress bar indicating the upload progress for individual files and
|
44
|
+
for all uploads combined.
|
45
|
+
- **Cancelable uploads:**
|
22
46
|
Individual file uploads can be canceled to stop the upload progress.
|
23
|
-
|
47
|
+
- **Resumable uploads:**
|
24
48
|
Aborted uploads can be resumed with browsers supporting the Blob API.
|
25
|
-
|
26
|
-
Large files can be uploaded in smaller chunks with browsers supporting the
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
|
49
|
+
- **Chunked uploads:**
|
50
|
+
Large files can be uploaded in smaller chunks with browsers supporting the
|
51
|
+
Blob API.
|
52
|
+
- **Client-side image resizing:**
|
53
|
+
Images can be automatically resized on client-side with browsers supporting
|
54
|
+
the required JS APIs.
|
55
|
+
- **Preview images, audio and video:**
|
56
|
+
A preview of image, audio and video files can be displayed before uploading
|
57
|
+
with browsers supporting the required APIs.
|
58
|
+
- **No browser plugins (e.g. Adobe Flash) required:**
|
59
|
+
The implementation is based on open standards like HTML5 and JavaScript and
|
60
|
+
requires no additional browser plugins.
|
61
|
+
- **Graceful fallback for legacy browsers:**
|
62
|
+
Uploads files via XMLHttpRequests if supported and uses iframes as fallback
|
63
|
+
for legacy browsers.
|
64
|
+
- **HTML file upload form fallback:**
|
65
|
+
Allows progressive enhancement by using a standard HTML file upload form as
|
66
|
+
widget element.
|
67
|
+
- **Cross-site file uploads:**
|
68
|
+
Supports uploading files to a different domain with cross-site XMLHttpRequests
|
69
|
+
or iframe redirects.
|
70
|
+
- **Multiple plugin instances:**
|
40
71
|
Allows to use multiple plugin instances on the same webpage.
|
41
|
-
|
42
|
-
Provides an API to set individual options and define callback methods for
|
43
|
-
|
44
|
-
|
45
|
-
|
46
|
-
|
72
|
+
- **Customizable and extensible:**
|
73
|
+
Provides an API to set individual options and define callback methods for
|
74
|
+
various upload events.
|
75
|
+
- **Multipart and file contents stream uploads:**
|
76
|
+
Files can be uploaded as standard "multipart/form-data" or file contents
|
77
|
+
stream (HTTP PUT file upload).
|
78
|
+
- **Compatible with any server-side application platform:**
|
79
|
+
Works with any server-side platform (PHP, Python, Ruby on Rails, Java,
|
80
|
+
Node.js, Go etc.) that supports standard HTML form file uploads.
|
81
|
+
|
82
|
+
## Security
|
83
|
+
|
84
|
+
⚠️ Please read the [VULNERABILITIES](VULNERABILITIES.md) document for a list of
|
85
|
+
fixed vulnerabilities
|
86
|
+
|
87
|
+
Please also read the [SECURITY](SECURITY.md) document for instructions on how to
|
88
|
+
securely configure your Web server for file uploads.
|
89
|
+
|
90
|
+
## Setup
|
91
|
+
|
92
|
+
jQuery File Upload can be installed via [NPM](https://www.npmjs.com/):
|
93
|
+
|
94
|
+
```sh
|
95
|
+
npm install blueimp-file-upload
|
96
|
+
```
|
97
|
+
|
98
|
+
This allows you to include [jquery.fileupload.js](js/jquery.fileupload.js) and
|
99
|
+
its extensions via `node_modules`, e.g:
|
100
|
+
|
101
|
+
```html
|
102
|
+
<script src="node_modules/blueimp-file-upload/js/jquery.fileupload.js"></script>
|
103
|
+
```
|
104
|
+
|
105
|
+
The widget can then be initialized on a file upload form the following way:
|
106
|
+
|
107
|
+
```js
|
108
|
+
$('#fileupload').fileupload();
|
109
|
+
```
|
110
|
+
|
111
|
+
For further information, please refer to the following guides:
|
112
|
+
|
113
|
+
- [Main documentation page](https://github.com/blueimp/jQuery-File-Upload/wiki)
|
114
|
+
- [List of all available Options](https://github.com/blueimp/jQuery-File-Upload/wiki/Options)
|
115
|
+
- [The plugin API](https://github.com/blueimp/jQuery-File-Upload/wiki/API)
|
116
|
+
- [How to setup the plugin on your website](https://github.com/blueimp/jQuery-File-Upload/wiki/Setup)
|
117
|
+
- [How to use only the basic plugin.](https://github.com/blueimp/jQuery-File-Upload/wiki/Basic-plugin)
|
47
118
|
|
48
119
|
## Requirements
|
49
120
|
|
50
121
|
### Mandatory requirements
|
51
|
-
|
52
|
-
|
53
|
-
|
122
|
+
|
123
|
+
- [jQuery](https://jquery.com/) v1.7+
|
124
|
+
- [jQuery UI widget factory](https://api.jqueryui.com/jQuery.widget/) v1.9+
|
125
|
+
(included): Required for the basic File Upload plugin, but very lightweight
|
126
|
+
without any other dependencies from the jQuery UI suite.
|
127
|
+
- [jQuery Iframe Transport plugin](https://github.com/blueimp/jQuery-File-Upload/blob/master/js/jquery.iframe-transport.js)
|
128
|
+
(included): Required for
|
129
|
+
[browsers without XHR file upload support](https://github.com/blueimp/jQuery-File-Upload/wiki/Browser-support).
|
54
130
|
|
55
131
|
### Optional requirements
|
56
|
-
* [JavaScript Templates engine](https://github.com/blueimp/JavaScript-Templates) v. 2.5.4+: Used to render the selected and uploaded files for the Basic Plus UI and jQuery UI versions.
|
57
|
-
* [JavaScript Load Image library](https://github.com/blueimp/JavaScript-Load-Image) v. 1.13.0+: Required for the image previews and resizing functionality.
|
58
|
-
* [JavaScript Canvas to Blob polyfill](https://github.com/blueimp/JavaScript-Canvas-to-Blob) v. 2.1.1+:Required for the image previews and resizing functionality.
|
59
|
-
* [blueimp Gallery](https://github.com/blueimp/Gallery) v. 2.15.1+: Used to display the uploaded images in a lightbox.
|
60
|
-
* [Bootstrap](http://getbootstrap.com/) v. 3.2.0+
|
61
|
-
* [Glyphicons](http://glyphicons.com/)
|
62
132
|
|
63
|
-
|
133
|
+
- [JavaScript Templates engine](https://github.com/blueimp/JavaScript-Templates)
|
134
|
+
v3+: Used to render the selected and uploaded files.
|
135
|
+
- [JavaScript Load Image library](https://github.com/blueimp/JavaScript-Load-Image)
|
136
|
+
v2+: Required for the image previews and resizing functionality.
|
137
|
+
- [JavaScript Canvas to Blob polyfill](https://github.com/blueimp/JavaScript-Canvas-to-Blob)
|
138
|
+
v3+:Required for the resizing functionality.
|
139
|
+
- [blueimp Gallery](https://github.com/blueimp/Gallery) v2+: Used to display the
|
140
|
+
uploaded images in a lightbox.
|
141
|
+
- [Bootstrap](https://getbootstrap.com/) v3+: Used for the demo design.
|
142
|
+
- [Glyphicons](https://glyphicons.com/) Icon set used by Bootstrap.
|
64
143
|
|
65
144
|
### Cross-domain requirements
|
66
|
-
[Cross-domain File Uploads](https://github.com/blueimp/jQuery-File-Upload/wiki/Cross-domain-uploads) using the [Iframe Transport plugin](https://github.com/blueimp/jQuery-File-Upload/blob/master/js/jquery.iframe-transport.js) require a redirect back to the origin server to retrieve the upload results. The [example implementation](https://github.com/blueimp/jQuery-File-Upload/blob/master/js/main.js) makes use of [result.html](https://github.com/blueimp/jQuery-File-Upload/blob/master/cors/result.html) as a static redirect page for the origin server.
|
67
|
-
|
68
|
-
The repository also includes the [jQuery XDomainRequest Transport plugin](https://github.com/blueimp/jQuery-File-Upload/blob/master/js/cors/jquery.xdr-transport.js), which enables limited cross-domain AJAX requests in Microsoft Internet Explorer 8 and 9 (IE 10 supports cross-domain XHR requests).
|
69
|
-
The XDomainRequest object allows GET and POST requests only and doesn't support file uploads. It is used on the [Demo](https://blueimp.github.io/jQuery-File-Upload/) to delete uploaded files from the cross-domain demo file upload service.
|
70
145
|
|
71
|
-
|
72
|
-
|
73
|
-
|
146
|
+
[Cross-domain File Uploads](https://github.com/blueimp/jQuery-File-Upload/wiki/Cross-domain-uploads)
|
147
|
+
using the
|
148
|
+
[Iframe Transport plugin](https://github.com/blueimp/jQuery-File-Upload/blob/master/js/jquery.iframe-transport.js)
|
149
|
+
require a redirect back to the origin server to retrieve the upload results. The
|
150
|
+
[example implementation](https://github.com/blueimp/jQuery-File-Upload/blob/master/js/main.js)
|
151
|
+
makes use of
|
152
|
+
[result.html](https://github.com/blueimp/jQuery-File-Upload/blob/master/cors/result.html)
|
153
|
+
as a static redirect page for the origin server.
|
154
|
+
|
155
|
+
The repository also includes the
|
156
|
+
[jQuery XDomainRequest Transport plugin](https://github.com/blueimp/jQuery-File-Upload/blob/master/js/cors/jquery.xdr-transport.js),
|
157
|
+
which enables limited cross-domain AJAX requests in Microsoft Internet Explorer
|
158
|
+
8 and 9 (IE 10 supports cross-domain XHR requests).
|
159
|
+
The XDomainRequest object allows GET and POST requests only and doesn't support
|
160
|
+
file uploads. It is used on the
|
161
|
+
[Demo](https://blueimp.github.io/jQuery-File-Upload/) to delete uploaded files
|
162
|
+
from the cross-domain demo file upload service.
|
74
163
|
|
75
164
|
## Browsers
|
76
165
|
|
77
166
|
### Desktop browsers
|
78
|
-
The File Upload plugin is regularly tested with the latest browser versions and supports the following minimal versions:
|
79
167
|
|
80
|
-
|
81
|
-
|
82
|
-
|
83
|
-
|
84
|
-
|
168
|
+
The File Upload plugin is regularly tested with the latest browser versions and
|
169
|
+
supports the following minimal versions:
|
170
|
+
|
171
|
+
- Google Chrome
|
172
|
+
- Apple Safari 4.0+
|
173
|
+
- Mozilla Firefox 3.0+
|
174
|
+
- Opera 11.0+
|
175
|
+
- Microsoft Internet Explorer 6.0+
|
85
176
|
|
86
177
|
### Mobile browsers
|
87
|
-
The File Upload plugin has been tested with and supports the following mobile browsers:
|
88
178
|
|
89
|
-
|
90
|
-
|
91
|
-
* Google Chrome on Android 4.0+
|
92
|
-
* Default Browser on Android 2.3+
|
93
|
-
* Opera Mobile 12.0+
|
179
|
+
The File Upload plugin has been tested with and supports the following mobile
|
180
|
+
browsers:
|
94
181
|
|
95
|
-
|
96
|
-
|
182
|
+
- Apple Safari on iOS 6.0+
|
183
|
+
- Google Chrome on iOS 6.0+
|
184
|
+
- Google Chrome on Android 4.0+
|
185
|
+
- Default Browser on Android 2.3+
|
186
|
+
- Opera Mobile 12.0+
|
97
187
|
|
98
|
-
|
99
|
-
|
100
|
-
|
188
|
+
### Extended browser support information
|
189
|
+
|
190
|
+
For a detailed overview of the features supported by each browser version and
|
191
|
+
known operating system / browser bugs, please have a look at the
|
192
|
+
[Extended browser support information](https://github.com/blueimp/jQuery-File-Upload/wiki/Browser-support).
|
193
|
+
|
194
|
+
## Testing
|
195
|
+
|
196
|
+
The project comes with three sets of tests:
|
197
|
+
|
198
|
+
1. Code linting using [ESLint](https://eslint.org/).
|
199
|
+
2. Unit tests using [Mocha](https://mochajs.org/).
|
200
|
+
3. End-to-end tests using [blueimp/wdio](https://github.com/blueimp/wdio).
|
201
|
+
|
202
|
+
To run the tests, follow these steps:
|
203
|
+
|
204
|
+
1. Start [Docker](https://docs.docker.com/).
|
205
|
+
2. Install development dependencies:
|
206
|
+
```sh
|
207
|
+
npm install
|
208
|
+
```
|
209
|
+
3. Run the tests:
|
210
|
+
```sh
|
211
|
+
npm test
|
212
|
+
```
|
101
213
|
|
102
214
|
## Support
|
215
|
+
|
103
216
|
This project is actively maintained, but there is no official support channel.
|
104
|
-
If you have a question that another developer might help you with, please post
|
217
|
+
If you have a question that another developer might help you with, please post
|
218
|
+
to
|
219
|
+
[Stack Overflow](https://stackoverflow.com/questions/tagged/blueimp+jquery+file-upload)
|
220
|
+
and tag your question with `blueimp jquery file upload`.
|
105
221
|
|
106
222
|
## License
|
223
|
+
|
107
224
|
Released under the [MIT license](https://opensource.org/licenses/MIT).
|
@@ -0,0 +1,227 @@
|
|
1
|
+
# File Upload Security
|
2
|
+
|
3
|
+
## Contents
|
4
|
+
|
5
|
+
- [Introduction](#introduction)
|
6
|
+
- [Purpose of this project](#purpose-of-this-project)
|
7
|
+
- [Mitigations against file upload risks](#mitigations-against-file-upload-risks)
|
8
|
+
- [Prevent code execution on the server](#prevent-code-execution-on-the-server)
|
9
|
+
- [Prevent code execution in the browser](#prevent-code-execution-in-the-browser)
|
10
|
+
- [Prevent distribution of malware](#prevent-distribution-of-malware)
|
11
|
+
- [Secure file upload serving configurations](#secure-file-upload-serving-configurations)
|
12
|
+
- [Apache config](#apache-config)
|
13
|
+
- [NGINX config](#nginx-config)
|
14
|
+
- [Secure image processing configurations](#secure-image-processing-configurations)
|
15
|
+
- [ImageMagick config](#imagemagick-config)
|
16
|
+
|
17
|
+
## Introduction
|
18
|
+
|
19
|
+
For an in-depth understanding of the potential security risks of providing file
|
20
|
+
uploads and possible mitigations, please refer to the
|
21
|
+
[OWASP - Unrestricted File Upload](https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload)
|
22
|
+
documentation.
|
23
|
+
|
24
|
+
To securely setup the project to serve uploaded files, please refer to the
|
25
|
+
sample
|
26
|
+
[Secure file upload serving configurations](#secure-file-upload-serving-configurations).
|
27
|
+
|
28
|
+
To mitigate potential vulnerabilities in image processing libraries, please
|
29
|
+
refer to the
|
30
|
+
[Secure image processing configurations](#secure-image-processing-configurations).
|
31
|
+
|
32
|
+
By default, all sample upload handlers allow only upload of image files, which
|
33
|
+
mitigates some attack vectors, but should not be relied on as the only
|
34
|
+
protection.
|
35
|
+
|
36
|
+
Please also have a look at the
|
37
|
+
[list of fixed vulnerabilities](VULNERABILITIES.md) in jQuery File Upload, which
|
38
|
+
relates mostly to the sample server-side upload handlers and how they have been
|
39
|
+
configured.
|
40
|
+
|
41
|
+
## Purpose of this project
|
42
|
+
|
43
|
+
Please note that this project is not a complete file management product, but
|
44
|
+
foremost a client-side file upload library for [jQuery](https://jquery.com/).
|
45
|
+
The server-side sample upload handlers are just examples to demonstrate the
|
46
|
+
client-side file upload functionality.
|
47
|
+
|
48
|
+
To make this very clear, there is **no user authentication** by default:
|
49
|
+
|
50
|
+
- **everyone can upload files**
|
51
|
+
- **everyone can delete uploaded files**
|
52
|
+
|
53
|
+
In some cases this can be acceptable, but for most projects you will want to
|
54
|
+
extend the sample upload handlers to integrate user authentication, or implement
|
55
|
+
your own.
|
56
|
+
|
57
|
+
It is also up to you to configure your web server to securely serve the uploaded
|
58
|
+
files, e.g. using the
|
59
|
+
[sample server configurations](#secure-file-upload-serving-configurations).
|
60
|
+
|
61
|
+
## Mitigations against file upload risks
|
62
|
+
|
63
|
+
### Prevent code execution on the server
|
64
|
+
|
65
|
+
To prevent execution of scripts or binaries on server-side, the upload directory
|
66
|
+
must be configured to not execute files in the upload directory (e.g.
|
67
|
+
`server/php/files` as the default for the PHP upload handler) and only treat
|
68
|
+
uploaded files as static content.
|
69
|
+
|
70
|
+
The recommended way to do this is to configure the upload directory path to
|
71
|
+
point outside of the web application root.
|
72
|
+
Then the web server can be configured to serve files from the upload directory
|
73
|
+
with their default static files handler only.
|
74
|
+
|
75
|
+
Limiting file uploads to a whitelist of safe file types (e.g. image files) also
|
76
|
+
mitigates this issue, but should not be the only protection.
|
77
|
+
|
78
|
+
### Prevent code execution in the browser
|
79
|
+
|
80
|
+
To prevent execution of scripts on client-side, the following headers must be
|
81
|
+
sent when delivering generic uploaded files to the client:
|
82
|
+
|
83
|
+
```
|
84
|
+
Content-Type: application/octet-stream
|
85
|
+
X-Content-Type-Options: nosniff
|
86
|
+
```
|
87
|
+
|
88
|
+
The `Content-Type: application/octet-stream` header instructs browsers to
|
89
|
+
display a download dialog instead of parsing it and possibly executing script
|
90
|
+
content e.g. in HTML files.
|
91
|
+
|
92
|
+
The `X-Content-Type-Options: nosniff` header prevents browsers to try to detect
|
93
|
+
the file mime type despite the given content-type header.
|
94
|
+
|
95
|
+
For known safe files, the content-type header can be adjusted using a
|
96
|
+
**whitelist**, e.g. sending `Content-Type: image/png` for PNG files.
|
97
|
+
|
98
|
+
### Prevent distribution of malware
|
99
|
+
|
100
|
+
To prevent attackers from uploading and distributing malware (e.g. computer
|
101
|
+
viruses), it is recommended to limit file uploads only to a whitelist of safe
|
102
|
+
file types.
|
103
|
+
|
104
|
+
Please note that the detection of file types in the sample file upload handlers
|
105
|
+
is based on the file extension and not the actual file content. This makes it
|
106
|
+
still possible for attackers to upload malware by giving their files an image
|
107
|
+
file extension, but should prevent automatic execution on client computers when
|
108
|
+
opening those files.
|
109
|
+
|
110
|
+
It does not protect at all from exploiting vulnerabilities in image display
|
111
|
+
programs, nor from users renaming file extensions to inadvertently execute the
|
112
|
+
contained malicious code.
|
113
|
+
|
114
|
+
## Secure file upload serving configurations
|
115
|
+
|
116
|
+
The following configurations serve uploaded files as static files with the
|
117
|
+
proper headers as
|
118
|
+
[mitigation against file upload risks](#mitigations-against-file-upload-risks).
|
119
|
+
Please do not simply copy&paste these configurations, but make sure you
|
120
|
+
understand what they are doing and that you have implemented them correctly.
|
121
|
+
|
122
|
+
> Always test your own setup and make sure that it is secure!
|
123
|
+
|
124
|
+
e.g. try uploading PHP scripts (as "example.php", "example.php.png" and
|
125
|
+
"example.png") to see if they get executed by your web server, e.g. the content
|
126
|
+
of the following sample:
|
127
|
+
|
128
|
+
```php
|
129
|
+
GIF89ad <?php echo mime_content_type(__FILE__); phpinfo();
|
130
|
+
```
|
131
|
+
|
132
|
+
### Apache config
|
133
|
+
|
134
|
+
Add the following directive to the Apache config (e.g.
|
135
|
+
/etc/apache2/apache2.conf), replacing the directory path with the absolute path
|
136
|
+
to the upload directory:
|
137
|
+
|
138
|
+
```ApacheConf
|
139
|
+
<Directory "/path/to/project/server/php/files">
|
140
|
+
# Some of the directives require the Apache Headers module. If it is not
|
141
|
+
# already enabled, please execute the following command and reload Apache:
|
142
|
+
# sudo a2enmod headers
|
143
|
+
#
|
144
|
+
# Please note that the order of directives across configuration files matters,
|
145
|
+
# see also:
|
146
|
+
# https://httpd.apache.org/docs/current/sections.html#merging
|
147
|
+
|
148
|
+
# The following directive matches all files and forces them to be handled as
|
149
|
+
# static content, which prevents the server from parsing and executing files
|
150
|
+
# that are associated with a dynamic runtime, e.g. PHP files.
|
151
|
+
# It also forces their Content-Type header to "application/octet-stream" and
|
152
|
+
# adds a "Content-Disposition: attachment" header to force a download dialog,
|
153
|
+
# which prevents browsers from interpreting files in the context of the
|
154
|
+
# web server, e.g. HTML files containing JavaScript.
|
155
|
+
# Lastly it also prevents browsers from MIME-sniffing the Content-Type,
|
156
|
+
# preventing them from interpreting a file as a different Content-Type than
|
157
|
+
# the one sent by the webserver.
|
158
|
+
<FilesMatch ".*">
|
159
|
+
SetHandler default-handler
|
160
|
+
ForceType application/octet-stream
|
161
|
+
Header set Content-Disposition attachment
|
162
|
+
Header set X-Content-Type-Options nosniff
|
163
|
+
</FilesMatch>
|
164
|
+
|
165
|
+
# The following directive matches known image files and unsets the forced
|
166
|
+
# Content-Type so they can be served with their original mime type.
|
167
|
+
# It also unsets the Content-Disposition header to allow displaying them
|
168
|
+
# inline in the browser.
|
169
|
+
<FilesMatch ".+\.(?i:(gif|jpe?g|png))$">
|
170
|
+
ForceType none
|
171
|
+
Header unset Content-Disposition
|
172
|
+
</FilesMatch>
|
173
|
+
</Directory>
|
174
|
+
```
|
175
|
+
|
176
|
+
### NGINX config
|
177
|
+
|
178
|
+
Add the following directive to the NGINX config, replacing the directory path
|
179
|
+
with the absolute path to the upload directory:
|
180
|
+
|
181
|
+
```Nginx
|
182
|
+
location ^~ /path/to/project/server/php/files {
|
183
|
+
root html;
|
184
|
+
default_type application/octet-stream;
|
185
|
+
types {
|
186
|
+
image/gif gif;
|
187
|
+
image/jpeg jpg;
|
188
|
+
image/png png;
|
189
|
+
}
|
190
|
+
add_header X-Content-Type-Options 'nosniff';
|
191
|
+
if ($request_filename ~ /(((?!\.(jpg)|(png)|(gif)$)[^/])+$)) {
|
192
|
+
add_header Content-Disposition 'attachment; filename="$1"';
|
193
|
+
# Add X-Content-Type-Options again, as using add_header in a new context
|
194
|
+
# dismisses all previous add_header calls:
|
195
|
+
add_header X-Content-Type-Options 'nosniff';
|
196
|
+
}
|
197
|
+
}
|
198
|
+
```
|
199
|
+
|
200
|
+
## Secure image processing configurations
|
201
|
+
|
202
|
+
The following configuration mitigates
|
203
|
+
[potential image processing vulnerabilities with ImageMagick](VULNERABILITIES.md#potential-vulnerabilities-with-php-imagemagick)
|
204
|
+
by limiting the attack vectors to a small subset of image types
|
205
|
+
(`GIF/JPEG/PNG`).
|
206
|
+
|
207
|
+
Please also consider using alternative, safer image processing libraries like
|
208
|
+
[libvips](https://github.com/libvips/libvips) or
|
209
|
+
[imageflow](https://github.com/imazen/imageflow).
|
210
|
+
|
211
|
+
## ImageMagick config
|
212
|
+
|
213
|
+
It is recommended to disable all non-required ImageMagick coders via
|
214
|
+
[policy.xml](https://wiki.debian.org/imagemagick/security).
|
215
|
+
To do so, locate the ImageMagick `policy.xml` configuration file and add the
|
216
|
+
following policies:
|
217
|
+
|
218
|
+
```xml
|
219
|
+
<?xml version="1.0" encoding="UTF-8"?>
|
220
|
+
<!-- ... -->
|
221
|
+
<policymap>
|
222
|
+
<!-- ... -->
|
223
|
+
<policy domain="delegate" rights="none" pattern="*" />
|
224
|
+
<policy domain="coder" rights="none" pattern="*" />
|
225
|
+
<policy domain="coder" rights="read | write" pattern="{GIF,JPEG,JPG,PNG}" />
|
226
|
+
</policymap>
|
227
|
+
```
|
@@ -0,0 +1,118 @@
|
|
1
|
+
# List of fixed vulnerabilities
|
2
|
+
|
3
|
+
## Contents
|
4
|
+
|
5
|
+
- [Potential vulnerabilities with PHP+ImageMagick](#potential-vulnerabilities-with-phpimagemagick)
|
6
|
+
- [Remote code execution vulnerability in the PHP component](#remote-code-execution-vulnerability-in-the-php-component)
|
7
|
+
- [Open redirect vulnerability in the GAE components](#open-redirect-vulnerability-in-the-gae-components)
|
8
|
+
- [Cross-site scripting vulnerability in the Iframe Transport](#cross-site-scripting-vulnerability-in-the-iframe-transport)
|
9
|
+
|
10
|
+
## Potential vulnerabilities with PHP+ImageMagick
|
11
|
+
|
12
|
+
> Mitigated: 2018-10-25 (GMT)
|
13
|
+
|
14
|
+
The sample [PHP upload handler](server/php/UploadHandler.php) before
|
15
|
+
[v9.25.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/v9.25.1)
|
16
|
+
did not validate file signatures before invoking
|
17
|
+
[ImageMagick](https://www.imagemagick.org/) (via
|
18
|
+
[Imagick](https://php.net/manual/en/book.imagick.php)).
|
19
|
+
Verifying those
|
20
|
+
[magic bytes](https://en.wikipedia.org/wiki/List_of_file_signatures) mitigates
|
21
|
+
potential vulnerabilities when handling input files other than `GIF/JPEG/PNG`.
|
22
|
+
|
23
|
+
Please also configure ImageMagick to only enable the coders required for
|
24
|
+
`GIF/JPEG/PNG` processing, e.g. with the sample
|
25
|
+
[ImageMagick config](SECURITY.md#imagemagick-config).
|
26
|
+
|
27
|
+
**Further information:**
|
28
|
+
|
29
|
+
- Commit containing the mitigation:
|
30
|
+
[fe44d34](https://github.com/blueimp/jQuery-File-Upload/commit/fe44d34be43be32c6b8d507932f318dababb25dd)
|
31
|
+
- [ImageTragick](https://imagetragick.com/)
|
32
|
+
- [CERT Vulnerability Note VU#332928](https://www.kb.cert.org/vuls/id/332928)
|
33
|
+
- [ImageMagick CVE entries](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=imagemagick)
|
34
|
+
|
35
|
+
## Remote code execution vulnerability in the PHP component
|
36
|
+
|
37
|
+
> Fixed: 2018-10-23 (GMT)
|
38
|
+
|
39
|
+
The sample [PHP upload handler](server/php/UploadHandler.php) before
|
40
|
+
[v9.24.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/v9.24.1)
|
41
|
+
allowed to upload all file types by default.
|
42
|
+
This opens up a remote code execution vulnerability, unless the server is
|
43
|
+
configured to not execute (PHP) files in the upload directory
|
44
|
+
(`server/php/files`).
|
45
|
+
|
46
|
+
The provided [.htaccess](server/php/files/.htaccess) file includes instructions
|
47
|
+
for Apache to disable script execution, however
|
48
|
+
[.htaccess support](https://httpd.apache.org/docs/current/howto/htaccess.html)
|
49
|
+
is disabled by default since Apache `v2.3.9` via
|
50
|
+
[AllowOverride Directive](https://httpd.apache.org/docs/current/mod/core.html#allowoverride).
|
51
|
+
|
52
|
+
**You are affected if you:**
|
53
|
+
|
54
|
+
1. A) Uploaded jQuery File Upload < `v9.24.1` on a Webserver that executes files
|
55
|
+
with `.php` as part of the file extension (e.g. "example.php.png"), e.g.
|
56
|
+
Apache with `mod_php` enabled and the following directive (_not a recommended
|
57
|
+
configuration_):
|
58
|
+
```ApacheConf
|
59
|
+
AddHandler php5-script .php
|
60
|
+
```
|
61
|
+
B) Uploaded jQuery File Upload < `v9.22.1` on a Webserver that executes files
|
62
|
+
with the file extension `.php`, e.g. Apache with `mod_php` enabled and the
|
63
|
+
following directive:
|
64
|
+
```ApacheConf
|
65
|
+
<FilesMatch \.php$>
|
66
|
+
SetHandler application/x-httpd-php
|
67
|
+
</FilesMatch>
|
68
|
+
```
|
69
|
+
2. Did not actively configure your Webserver to not execute files in the upload
|
70
|
+
directory (`server/php/files`).
|
71
|
+
3. Are running Apache `v2.3.9+` with the default `AllowOverride` Directive set
|
72
|
+
to `None` or another Webserver with no `.htaccess` support.
|
73
|
+
|
74
|
+
**How to fix it:**
|
75
|
+
|
76
|
+
1. Upgrade to the latest version of jQuery File Upload.
|
77
|
+
2. Configure your Webserver to not execute files in the upload directory, e.g.
|
78
|
+
with the [sample Apache configuration](SECURITY.md#apache-config)
|
79
|
+
|
80
|
+
**Further information:**
|
81
|
+
|
82
|
+
- Commits containing the security fix:
|
83
|
+
[aeb47e5](https://github.com/blueimp/jQuery-File-Upload/commit/aeb47e51c67df8a504b7726595576c1c66b5dc2f),
|
84
|
+
[ad4aefd](https://github.com/blueimp/jQuery-File-Upload/commit/ad4aefd96e4056deab6fea2690f0d8cf56bb2d7d)
|
85
|
+
- [Full disclosure post on Hacker News](https://news.ycombinator.com/item?id=18267309).
|
86
|
+
- [CVE-2018-9206](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9206)
|
87
|
+
- [OWASP - Unrestricted File Upload](https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload)
|
88
|
+
|
89
|
+
## Open redirect vulnerability in the GAE components
|
90
|
+
|
91
|
+
> Fixed: 2015-06-12 (GMT)
|
92
|
+
|
93
|
+
The sample Google App Engine upload handlers before
|
94
|
+
v[9.10.1](https://github.com/blueimp/jQuery-File-Upload/releases/tag/9.10.1)
|
95
|
+
accepted any URL as redirect target, making it possible to use the Webserver's
|
96
|
+
domain for phishing attacks.
|
97
|
+
|
98
|
+
**Further information:**
|
99
|
+
|
100
|
+
- Commit containing the security fix:
|
101
|
+
[f74d2a8](https://github.com/blueimp/jQuery-File-Upload/commit/f74d2a8c3e3b1e8e336678d2899facd5bcdb589f)
|
102
|
+
- [OWASP - Unvalidated Redirects and Forwards Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html)
|
103
|
+
|
104
|
+
## Cross-site scripting vulnerability in the Iframe Transport
|
105
|
+
|
106
|
+
> Fixed: 2012-08-09 (GMT)
|
107
|
+
|
108
|
+
The [redirect page](cors/result.html) for the
|
109
|
+
[Iframe Transport](js/jquery.iframe-transport.js) before commit
|
110
|
+
[4175032](https://github.com/blueimp/jQuery-File-Upload/commit/41750323a464e848856dc4c5c940663498beb74a)
|
111
|
+
(_fixed in all tagged releases_) allowed executing arbitrary JavaScript in the
|
112
|
+
context of the Webserver.
|
113
|
+
|
114
|
+
**Further information:**
|
115
|
+
|
116
|
+
- Commit containing the security fix:
|
117
|
+
[4175032](https://github.com/blueimp/jQuery-File-Upload/commit/41750323a464e848856dc4c5c940663498beb74a)
|
118
|
+
- [OWASP - Cross-site Scripting (XSS)](https://owasp.org/www-community/attacks/xss/)
|