Based on the analysis done at Analyze security relevance of FlashMagicBytes check:
DXP uses a FlashMagicBytesUtil to check verify if some files are Adobe Flash movies (regardless of their extension). This was added for securtiy reasons to protect from CSRF attack using uploaded flash files
From Tomáš Polešovský:
this would be relevant as long as we support browsers that supports flash. Once all supported browsers discard flash we can remove. Thanks.
All browsers in our possible compatibility matrix for 7.4 will have dropped Flash by the time we release as per their roadmaps:
- Chrome: Flash Player blocked as "out of date" (Target: All Chrome versions - Jan 2021)
- Firefox: In January 2021, Firefox 85 will completely remove Flash support. Adobe will stop shipping security updates for Flash at the end of 2020.
- Safari: Apple just released the latest Safari Technology preview. It comes with many changes, most notably the removal of support for Adobe Flash.
Based on that, the goal of this task is to remove unnecessary FlashMagicBytes checks.
- The FlashMagicBytesUtil and FlashMagicBytesUtilTest classes are deprecated
- All usages of FlashMagicBytesUtil are eliminated