security question
54 views
Skip to first unread message
curious
Oct 21, 2016, 6:18:02 AM10/21/16
to Joomla! General Development
i need to know about addAtachment in custom mail form using Jmail
is there some Joomla file check inside this function? Allowed types?
how to sanytice files for example doc, pdf, xls, images only
what problems with security are to be expected, what is already avoided by default:
Any recommendation for using this and stay secure,
Or should better be used for example a plugin like DPattachment, or a Form-component.
Hannes Papenberg
Oct 21, 2016, 8:06:51 AM10/21/16
to joomla-de...@googlegroups.com
JMail has no checks for what you add as attachment to the mail that you
are sending. That is not the task of the class. You have to do those
checks in your own code. It is normally expected that the attachments
are from trusted sources (or sanitised before).
Hannes
> --
> You received this message because you are subscribed to the Google
> Groups "Joomla! General Development" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to joomla-dev-gene...@googlegroups.com
> <mailto:joomla-dev-gene...@googlegroups.com>.
> To post to this group, send email to joomla-de...@googlegroups.com
> <mailto:joomla-de...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/joomla-dev-general.
> For more options, visit https://groups.google.com/d/optout.
are sending. That is not the task of the class. You have to do those
checks in your own code. It is normally expected that the attachments
are from trusted sources (or sanitised before).
Hannes
> You received this message because you are subscribed to the Google
> Groups "Joomla! General Development" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to joomla-dev-gene...@googlegroups.com
> <mailto:joomla-dev-gene...@googlegroups.com>.
> To post to this group, send email to joomla-de...@googlegroups.com
> <mailto:joomla-de...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/joomla-dev-general.
> For more options, visit https://groups.google.com/d/optout.
Bakual
Oct 21, 2016, 10:18:13 AM10/21/16
to Joomla! General Development
I think if you upload the file using JFIle::upload (https://api.joomla.org/cms-3/classes/JFile.html#method_upload) you get some security checks.
Am Freitag, 21. Oktober 2016 14:06:51 UTC+2 schrieb Hannes Papenberg:
JMail has no checks for what you add as attachment to the mail that you
are sending. That is not the task of the class. You have to do those
checks in your own code. It is normally expected that the attachments
are from trusted sources (or sanitised before).
Hannes
Am 21.10.2016 um 12:18 schrieb curious:
> i need to know about addAtachment in custom mail form using Jmail
>
>
> is there some Joomla file check inside this function? Allowed types?
> how to sanytice files for example doc, pdf, xls, images only
>
>
> what problems with security are to be expected, what is already avoided
> by default:
>
>
> Any recommendation for using this and stay secure,
>
>
> Or should better be used for example a plugin like DPattachment, or a
> Form-component.
>
> --
> You received this message because you are subscribed to the Google
> Groups "Joomla! General Development" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to joomla-dev-general+unsub...@googlegroups.com
> <mailto:joomla-dev-general+unsub...@googlegroups.com>.
curious
Oct 22, 2016, 3:48:15 AM10/22/16
to Joomla! General Development
thank you for clearifying...
i read through:
I will look into com_dpattachment.
Reply all
Reply to author
Forward
0 new messages