mahara-contributors team mailing list archive

[Cecilia Vela Gurovic <1770535@xxxxxxxxxxxxxxxxxx>]

** Changed in: mahara/18.10
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1770535

Title:
  Able to upload a virus file to Files section

Status in Mahara:
  Fix Released
Status in Mahara 17.04 series:
  Fix Released
Status in Mahara 17.10 series:
  Fix Released
Status in Mahara 18.04 series:
  Fix Released
Status in Mahara 18.10 series:
  Fix Released

Bug description:
  If I try to upload the benign test virus file called "eicar.com" from
  https://www.ikarussecurity.com/support/virus-info/test-viruses/ Mahara
  spots it and alerts user it is a virus

  However, if I try to upload the eicar_com.zip file it lets me (which
  is bad) but understandable as the signature of the virus file can be
  hidden via compression. And a user could only be infected if they
  download the zip and extract it locally.

  But if I then press the 'Decompress' button it extracts the zip file
  and doesn't complain. This is bad as all one needs to do to upload a
  virus is to wrap it in a zip file and then extract it and now they can
  trick another user to click on the file directly.

  When importing a zip file via Importer and clamav is on it checks the
  files of the zip for viruses but when extracting a zip file in Files
  section it does not.

  We need to tidy this up so that uploading a zip file gets checked
  properly as well.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1770535/+subscriptions