Skip to content

important fix: process uploads only if configuration allows it #83

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Markus-Gurkcity wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

important fix: process uploads only if configuration allows it #83

Markus-Gurkcity wants to merge 1 commit into from

Conversation

@Markus-Gurkcity
Copy link

@Markus-Gurkcity Markus-Gurkcity commented Oct 16, 2025

Questions Answers
Description? The PS configuration PS_CUSTOMER_SERVICE_FILE_UPLOAD only removes content from the template. there must be a validation in the process/send method if this configuration is enabled. See extended description and screenshots below...
Type? bug fix / critical
BC breaks? no
Deprecations? no
Fixed ticket? Fixes PrestaShop/Prestashop#{issue number here}.
How to test? Please indicate how to best verify that this PR is correct.

Description:
in contactform module the PS configuration PS_CUSTOMER_SERVICE_FILE_UPLOAD is assigned to the template. If this configuration is false the upload file input and the form multipart attribute will be removed from the html:
image
image
The issue:
If a attacker modifies the html form in the browser and adds the form file upload input, the file will be send to prestashop an will be uploaded.
image
Fix:
check the configuration at the process/send method and reject any file uploads:
image

@ps-jarvis
Copy link

ps-jarvis commented Oct 16, 2025

Hello @Markus-Gurkcity!

This is your first pull request on contactform repository of the PrestaShop project.

Thank you, and welcome to this Open Source community!

@github-project-automation github-project-automation bot moved this to Ready for review in PR Dashboard Oct 16, 2025
@Hlavtox Hlavtox added this to the 4.4.4 milestone Nov 15, 2025
matthieu-rolland
matthieu-rolland approved these changes Nov 20, 2025
View reviewed changes
Copy link
Contributor

@matthieu-rolland matthieu-rolland left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you @Markus-Gurkcity

@paulnoelcholot here is checking that the configuration allows file upload on the backend side, so that it's not possible to bypass this just by modifying the html in the browser

paulnoelcholot
paulnoelcholot reviewed Nov 20, 2025
View reviewed changes
Copy link

@paulnoelcholot paulnoelcholot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

QA by dev, since the How to Test is a bit hard to follow for a manual QA

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@paulnoelcholot paulnoelcholot paulnoelcholot left review comments

@matthieu-rolland matthieu-rolland matthieu-rolland approved these changes

@kpodemski kpodemski kpodemski approved these changes

@Hlavtox Hlavtox Hlavtox approved these changes

Assignees

No one assigned

Labels

waiting for QA

Projects

PR Dashboard
Status: Ready for review

Milestone

4.4.4

Development

Successfully merging this pull request may close these issues.

6 participants

@Markus-Gurkcity @ps-jarvis @matthieu-rolland @kpodemski @Hlavtox @paulnoelcholot