# Vulnerability Summary ## Vulnerability Overview This vulnerability involves a missing authentication check in the file upload functionality. In the `UploadView` class within `meditor/views.py`, although the `upload_require_auth` configuration item was added to control whether authentication is required, the actual logic contains a flaw: when `upload_require_auth` is set to `False`, the system fails to correctly skip the authentication check, allowing unauthenticated users to still upload files. ## Impact Scope - Affected file: `meditor/views.py` - Affected functionality: Image upload endpoint (`/editor/upload-image-file`) - Affected versions: All versions prior to commit 3e80f9e - Risk level: High (Unauthorized file upload may lead to server compromise, data leakage, etc.) ## Remediation 1. Add a new configuration item `upload_require_auth` in `meditor/configs.py` with a default value of `False`. 2. In the `UploadView.post()` method within `meditor/views.py`, decide whether to perform the authentication check based on the `upload_require_auth` configuration: - When `upload_require_auth` is `True`, verify if the user is authenticated. - When `upload_require_auth` is `False`, skip the authentication check. ## POC Code ```python # Key code snippet from meditor/views.py class UploadView(generic.View): """ upload image file """ def post(self, request, *args, **kwargs): upload_image = request.FILES.get('editorod-image-file', None) media_root = settings.MEDIA_ROOT upload_require_auth = MEDITOR_CONFIGS.get('upload_require_auth', False) # Check if user is authenticated if it is required if upload_require_auth and not request.user.is_authenticated: return JsonResponse({ 'success': 0, 'message': "Authentication required.", 'url': "" }) # image none check if not upload_image: return JsonResponse({ 'success': 0, 'message': "File format not recognized.", 'url': "" }) try: Image.open(upload_image) except: return JsonResponse({ 'success': 0, 'message': "File format not recognized.", 'url': "" }) # image folder check file_path = os.path.join(media_root, MEDITOR_CONFIGS['image_folder']) if not os.path.exists(file_path): os.makedirs(file_path) ```