if they're not valid UTF-8, interpret them in CP437 (which is
the original encoding used by PKZIP)
test plan: you should be able to upload and extract the
zip file attached to the ticket
fixes CNVS-21430
Change-Id: Ieaf16b03b390403ceec406ec27535c4da20eb6be
Reviewed-on: https://gerrit.instructure.com/57118
Tested-by: Jenkins
Reviewed-by: James Williams <jamesw@instructure.com>
QA-Review: Jahnavi Yetukuri <jyetukuri@instructure.com>
Product-Review: Jeremy Stanley <jeremy@instructure.com>
refs #CNVS-20621
Change-Id: I37681cefa92235ccfc88ce6126cf4bdb08dba1bf
Reviewed-on: https://gerrit.instructure.com/54700
Tested-by: Jenkins
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
Product-Review: James Williams <jamesw@instructure.com>
QA-Review: James Williams <jamesw@instructure.com>
also tweak a couple random little things because why not
test plan:
* create a course with a file
* import the package referenced in the ticket
* should not attach the file to every imported
discussion topic
closes #CNVS-14520
Change-Id: Icf30b0a62d0d8f8ab6ced84990def1525ff061a4
Reviewed-on: https://gerrit.instructure.com/41760
Tested-by: Jenkins <jenkins@instructure.com>
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
Product-Review: Jeremy Stanley <jeremy@instructure.com>
QA-Review: Clare Strong <clare@instructure.com>
also add limits for byte size and file count to prevent
zip/tar "bombs"
test plan:
* import the package referenced in the ticket
* should import successfully
* content migration regressions
closes #CNVS-14303 #CNVS-14428
Change-Id: Ia424b5260e34f35b62ca47f7aafa77118c4f5b5b
Reviewed-on: https://gerrit.instructure.com/37881
Reviewed-by: Jeremy Stanley <jeremy@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
QA-Review: Trevor deHaan <tdehaan@instructure.com>
Product-Review: James Williams <jamesw@instructure.com>
extract core unzip functionality into canvas_unzip gem, and put
security logic there. use this gem instead of shelling out to
`unzip` (which does not have the option to skip symlinks).
test plan:
1. import 'evil_course_2.imscc' from CNVS-14338
* there should be an import warning
* you should get a blank syllabus body and
definitely not see sensitive system data
2. import 'evil_sis_import.zip' from CNVS-14346
* a file called '/tmp/pwn3d' should not have been
created on your app server
3. sanity check the parts of canvas that unzip things:
* course copy
* course import
* zip content imports via the API
* zip file uploads from files page
* assignment submission comments download/upload
* sis imports
fixes CNVS-14338
fixes CNVS-14346
Change-Id: I38fa141653eb7bc483e99a28a135831b8cb3b2a6
Reviewed-on: https://gerrit.instructure.com/37959
Reviewed-by: Cody Cutrer <cody@instructure.com>
QA-Review: Clare Strong <clare@instructure.com>
Tested-by: Jenkins <jenkins@instructure.com>
Product-Review: Jeremy Stanley <jeremy@instructure.com>
Jeremy Stanley