Project:
Version:
8.8.x-dev
8.7.x-dev
Date:
2019-December-18
Vulnerability:
Multiple vulnerabilities
Description:
Drupal 8 core's file_save_upload() function does not strip the leading and trailing dot ('.') from filenames, like Drupal 7 did.
Users with the ability to upload files with any extension in conjunction with contributed modules may be able to use this to upload system files such as .htaccess in order to bypass protections afforded by Drupal's default .htaccess file.
After this fix, file_save_upload() now trims leading and trailing dots from filenames.
Solution:
Install the latest version:
Versions of Drupal 8 prior to 8.7.x are end-of-life and do not receive security coverage.
Additional information
All advisories released today:
Updating to the latest Drupal core release will apply the fixes for all the above advisories.
Reported By:
Fixed By:
- Lee Rowlands of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- Michael Hess of the Drupal Security Team
- Kim Pepper
- Alex Pott of the Drupal Security Team
- Derek Wright
- Jess of the Drupal Security Team
- David Rothstein of the Drupal Security Team