Security advisories: Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2019-010

Project:

Drupal core

Version:

8.8.x-dev

8.7.x-dev

Date:

2019-December-18

Security risk:

Moderately critical 14∕25 AC:Basic/A:Admin/CI:Some/II:All/E:Theoretical/TD:Default

Vulnerability:

Multiple vulnerabilities

Description:

Drupal 8 core's file_save_upload() function does not strip the leading and trailing dot ('.') from filenames, like Drupal 7 did.

Users with the ability to upload files with any extension in conjunction with contributed modules may be able to use this to upload system files such as .htaccess in order to bypass protections afforded by Drupal's default .htaccess file.

After this fix, file_save_upload() now trims leading and trailing dots from filenames.

Solution:

Install the latest version:

If you use Drupal core 8.7.x: 8.7.11
If you use Drupal core 8.8.x: 8.8.1

Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.

Reported By:

Fixed By:

Lee Rowlands of the Drupal Security Team
Greg Knaddison of the Drupal Security Team
Michael Hess of the Drupal Security Team
Kim Pepper
Alex Pott of the Drupal Security Team
Derek Wright
Jess of the Drupal Security Team
David Rothstein of the Drupal Security Team

https://www.drupal.org/sa-core-2019-010