In CiviCRM systems which accept file attachments, a malicious user could perform a cross-site scripting attack. This attack involved accessing the "civicrm/file" path with a forged value in the parameter "&mime-type=...".
The solution involved a few subtle changes in the public-facing contract for "civicrm/file". If you have a customization which relies on this route, you may want to consider the details:
- For typical attachment URLs ("civicrm/file?id=..."), the "mime-type" parameter is now ignored. The MIME type is determined from a more definitive source. (This is effectively equivalent to the old behavior, except that the type cannot be overriden.)
For some atypical attachment URLs ("civicrm/file?path=...&mime-type=..." - most commonly used with profile-images), the MIME type may not be definitively available. To prevent abuse, these requests are subject to additional checks:
- The MIME type and the file's extension must be commonly known to agree with each other. (For example, the MIME type "image/jpeg" agrees with the file extensions ".jpg" and ".jpeg" but not ".txt".)
- The MIME type must be in a white-list. The default white-list includes only common image types. To customize the whitelist, an administrator must modify the hidden setting "requestableMimeTypes".
CiviCRM versions 5.13.0 and earlier
CiviCRM version 5.13.4 and 5.7.6
Upgrade to the latest version of CiviCRM
Tim Otten of CiviCRM and Patrick Figel of Greenpeace for identifying the issue
Seamus Lee of Australian Greens and Tim Otten of CiviCRM for fixing the issue