Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-82717

Basic document name overrides file name and file extension, loading to possible spoofing of downloaded file names and extensions




      When creating a basic document and naming it before uploading a file to it, when the file is downloaded the document's name is used. This hides the name of the uploaded file which means that the extension can be spoofed and the browser will download the file with the wrong extension.

      It looks like there are three parts to this:

      1. The uploaded file can be rendered unusable if the title of the document contains a different file extension than the uploaded file itself (unusable to anyone who does not know the proper file extension at least)
      2. When attempting to address the above behavior it is possible to assign a second file extension to the file when it is downloaded (see Steps 7-8)
      3. If a file is uploaded to the document, why does the file name not replace the text within the title field? This looks like it is the intended behavior but it seems odd.

      Would locking the "title" field and syncing it to the uploaded file's name be a way to resolve this? It seems odd that when a file is uploaded before the title field is filled, the file's name is entered into the title field. However if the title field is already propagated then the file's name does not replace the text in the field.

      Steps to reproduce

      1. Create a new basic document with only a title (no file attachment)
      2. Set the title of the file to be test.exe and publish (having no file attached)
      3. Edit the file to upload a windows batch file ("test.bat")
      4. Note the file extension in icon view shows correctly as BAT the "file name" displays as "test.exe"
      5. Download the file
      6. Note the file downloads as an EXE instead which is not correct
      7. Edit the file again, change the file extension in the title (to .msi for example) and re-upload the bat file and publish
      8. Note the file now downloads as a BAT but has a double file extension ("test.msi.bat")

      Results of Testing

      Expected Result: The file will download using the name and extension it was uploaded with.

      Actual Result: The file is downloaded using the document title and possibly the file's extension if the document has been edited.




      Reproduced: 8cb2c9380871e48f7b904a2addc5c37419a54315


      Reproduced: eb0ca13131f91904395187a0d03ba923a94b828f


        1. master-1.PNG
          7 kB
        2. master-2.PNG
          20 kB



            • Votes:
              1 Vote for this issue
              1 Start watching this issue


              • Created:
                Days since last comment:
                2 years, 8 weeks, 1 day ago


                Version Package
                7.0.0 DXP FP55
                7.0.0 DXP SP9
                7.1.10 DXP FP1
                7.1.1 CE GA2