Recently we discovered that one of our clients had malware hidden in images that were being uploaded by the
The client is using 1.0.7 on Magento 2.3.5 EE, which appears to be the latest version. Images that are uploaded through your module are not sanitized or validated as Magento core does through their native upload functionality, which allows malicious actors to upload images with toxic EXIF data and embedded scripts in the images themselves.
These images are not renamed either and are discoverable through a public directory before being formally
approved, and are viewable by both admin users and normal users on product pages.
This problem can be fixed by adding the following lines to the SaveImages controller:
$imageAdapter = $this->adapterFactory->create();
$uploader->addValidateCallback('catalog_product_image', $imageAdapter, 'validateUploadFile');
For implementation reference see Magento\Catalog\Controller\Adminhtml\Product\Gallery\Upload.
Contributor: Mr Aron Sigurdsson-Morris
To fix this error, please edit the file app/code/Bss/ProductImagesByCustomer/Controller/Index/SaveImages.php as below:
Or download the attached file below and overwrite the current file on your site.
If you have any other question or concern, please feel free to contact us. We'd be happy to support!