mahara-contributors team mailing list archive

Thread
Date
[Bug 1055239] Re: ClamAV doesn't support scanning multifile uploads

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Yaju Mahida <1055239@xxxxxxxxxxxxxxxxxx>
Date: Thu, 13 Dec 2012 22:54:36 -0000
Reply-to: Bug 1055239 <1055239@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Attached the uploadmanager.php which we used for debugging.

PHP debuggging without fix 2 files uploaded

In the Loop isset($inputindex) :
$tmpfile: NULL

In the Loop is_array($file) && is_uploaded_file($tmpname)
$fullpath: array(2) { [0]=> string(14) "/tmp/phpDdqaTc" [1]=> string(14) "/tmp/phpM4aRv1" }

$escapeshellarg($fullpath): NULL
$escapeshellcmd($fullpath): NULL

$cmd: string(24) "/usr/bin/clamdscan 2>&1"

$output: array(5) { [0]=> string(28) "/htdocs/artefact/file: OK" [1]=>
string(0) "" [2]=> string(36) "----------- SCAN SUMMARY -----------"
[3]=> string(17) "Infected files: 0" [4]=> string(25) "Time: 0.124 sec
(0 m 0 s)" }

$return): int(0) In the Loop isset($inputindex) : $tmpfile: NULL In the
Loop is_array($file) && is_uploaded_file($tmpname) $fullpath: array(2) {
[0]=> string(14) "/tmp/phpDdqaTc" [1]=> string(14) "/tmp/phpM4aRv1" }
$escapeshellarg($fullpath): NULL $escapeshellcmd($fullpath): NULL $cmd:
string(24) "/usr/bin/clamdscan 2>&1" $output: array(5) { [0]=>
string(28) "/htdocs/artefact/file: OK" [1]=> string(0) "" [2]=>
string(36) "----------- SCAN SUMMARY -----------" [3]=> string(17)
"Infected files: 0" [4]=> string(25) "Time: 0.112 sec (0 m 0 s)" }

$return): int(0)

PHP debuggging without fix 1 file uploaded

In the Loop isset($inputindex) :
$tmpfile: NULL

In the Loop is_array($file) && is_uploaded_file($tmpname)
$fullpath: array(1) { [0]=> string(14) "/tmp/php3gkh1m" }

$escapeshellarg($fullpath): NULL
$escapeshellcmd($fullpath): NULL

$cmd: string(24) "/usr/bin/clamdscan 2>&1"

$output: array(5) { [0]=> string(28) "/htdocs/artefact/file: OK" [1]=>
string(0) "" [2]=> string(36) "----------- SCAN SUMMARY -----------"
[3]=> string(17) "Infected files: 0" [4]=> string(25) "Time: 0.124 sec
(0 m 0 s)" }

$return: int(0)

PHP debuggging with fix 2 files uploaded

In the Loop isset($inputindex) :
$tmpfile: NULL

In the Loop is_array($file) && is_uploaded_file($tmpname)
$fullpath: string(14) "/tmp/phpvnyvSe"

$escapeshellarg($fullpath): string(16) "'/tmp/phpvnyvSe'"
$escapeshellcmd($fullpath): string(14) "/tmp/phpvnyvSe"

$cmd: string(38) "/usr/bin/clamdscan /tmp/phpvnyvSe 2>&1"

$output: array(5) { [0]=> string(38) "/tmp/phpvnyvSe: ClamAV-Test-File
FOUND" [1]=> string(0) "" [2]=> string(36) "----------- SCAN SUMMARY
-----------" [3]=> string(17) "Infected files: 1" [4]=> string(25)
"Time: 0.258 sec (0 m 0 s)" }

$return): int(1)

In the Loop isset($inputindex) :
$tmpfile: NULL

In the Loop is_array($file) && is_uploaded_file($tmpname)
$fullpath: string(14) "/tmp/php0nP112"

$escapeshellarg($fullpath): string(16) "'/tmp/php0nP112'"
$escapeshellcmd($fullpath): string(14) "/tmp/php0nP112"

$cmd: string(38) "/usr/bin/clamdscan /tmp/php0nP112 2>&1"

$output: array(5) { [0]=> string(38) "/tmp/php0nP112: ClamAV-Test-File
FOUND" [1]=> string(0) "" [2]=> string(36) "----------- SCAN SUMMARY
-----------" [3]=> string(17) "Infected files: 1" [4]=> string(25)
"Time: 0.237 sec (0 m 0 s)" }

$return): int(1)

PHP debuggging with fix 1 file uploaded

In the Loop isset($inputindex) :
$tmpfile: NULL

In the Loop is_array($file) && is_uploaded_file($tmpname)
$fullpath: string(14) "/tmp/php8pJlgm"

$escapeshellarg($fullpath): string(16) "'/tmp/php8pJlgm'"
$escapeshellcmd($fullpath): string(14) "/tmp/php8pJlgm"

$cmd: string(38) "/usr/bin/clamdscan /tmp/php8pJlgm 2>&1"

$output: array(5) { [0]=> string(38) "/tmp/php8pJlgm: ClamAV-Test-File
FOUND" [1]=> string(0) "" [2]=> string(36) "----------- SCAN SUMMARY
-----------" [3]=> string(17) "Infected files: 1" [4]=> string(25)
"Time: 0.257 sec (0 m 0 s)" }

$return): int(1)

Also haven't investigated the scenario when the logic at line 288 is used:
    else if (is_array($file)) {
        $tmpname = $file['tmp_name'];
    }

** Attachment added: "This is what we used to debug this issue"
   https://bugs.launchpad.net/mahara/+bug/1055239/+attachment/3459475/+files/uploadmanager.php

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
https://bugs.launchpad.net/bugs/1055239

Title:
  ClamAV doesn't support scanning multifile uploads

Status in Mahara ePortfolio:
  Fix Released

Bug description:
  When a user uploads using the new HTML multifile upload support, the
  file is scanned by clamav. The code for this scanning assumes the
  single upload still.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1055239/+subscriptions
References

[Bug 1055239] [NEW] ClamAV doesn't support scanning multifile uploads
From: Hugh Davenport, 2012-09-24