-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent Upload of ZIP bombs #7407
Conversation
Merging openemr/master beforing creating a PR
This is fine. unknown why we even allow zip for template uploads but... |
…_last_minute * 'master' of https://github.com/openemr/openemr: escape strings - brady's comment on pr openemr#7359 (openemr#7400) Added fix for zip bomb (openemr#7407) Phantom date showing at the top of all reports. (openemr#7433) feat: show collection balance in billing widget (openemr#7454)
(cherry picked from commit d019f25)
|
||
// Check if the uploaded file is a zip file | ||
if ($extension === 'zip') { | ||
$maxZipSize = 1048576; // 1 MB (adjust the size as needed) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this making the max size just 1 MB ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(just checking; maybe is acceptable for manage_document_templates uploads)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes! Making sure that if it a ZIP file, a size larger than 1MB can be denied (Although, this can be changed or even removed based on what the requirements are).
Fixes #7406
Short description of what this resolves:
Changes Proposed in the PR
a. ZIP bombs:
b. Large ZIP files