CIVI-SA-2023-04: File Type Restrictions

CiviCRM's file-upload mechanism includes a guard to limit the range of accepted file-types. However, the guard is too relaxed - in some configurations, this enables a less-privileged data-administrator to execute arbitrary code.

Questions and Answers

• Does this affect all organizations equivalently?

  • No, it depends on how the administrative roles are designed. If you have split access between different types of administrators (e.g. "system administrator" vs "regional data manager"), then it affects your security design. However, if you only grant administer CiviCRM to the same people who manage code, then it does not pose an immediate threat.

• What is changing?

  • Previously, the list of accepted file-types could be fully configured in the web-app by a user with permission administer CiviCRM.
  • Now, the list of file types is still configurable - but some file-types will be treated as strictly unsafe (regardless of the web-based configuration).

• Which file-types are strictly unsafe? Can I update the list?

  • The list includes *.php, *.phar, and several file-types that have historically enabled server-side processing in common hosting environments.
  • Only a system-administrator can update the list. To do so, modify civicrm.settings.php and configure CIVICRM_RESTRICTED_UPLOADS. For example:

    define('CIVICRM_RESTRICTED_UPLOADS',  '/(php|php\d|phtml|phar|pl|py|cgi|asp|js|sh|exe|pcgi\d)/i');
    

• My web-server (Apache/Nginx) restricts requests for server-side processing in the uploads folder. Am I already protected?

  • Partially. That prevents the most obvious attacks. But you should still apply the fix to prevent subtler attacks.