v1.0.7 Fix invalidate error image upload

Created by Jane D, Modified on Fri, 05 Feb 2021 at 03:28 PM by Jane D


Recently we discovered that one of our clients had malware hidden in images that were being uploaded by the


The client is using 1.0.7 on Magento 2.3.5 EE, which appears to be the latest version. Images that are uploaded through your module are not sanitized or validated as Magento core does through their native upload functionality, which allows malicious actors to upload images with toxic EXIF data and embedded scripts in the images themselves. 

These images are not renamed either and are discoverable through a public directory before being formally

 approved, and are viewable by both admin users and normal users on product pages.

This problem can be fixed by adding the following lines to the SaveImages controller:

$imageAdapter = $this->adapterFactory->create();
$uploader->addValidateCallback('catalog_product_image', $imageAdapter, 'validateUploadFile');

For implementation reference see Magento\Catalog\Controller\Adminhtml\Product\Gallery\Upload.

Contributor: Mr Aron Sigurdsson-Morris


To fix this error, please edit the file app/code/Bss/ProductImagesByCustomer/Controller/Index/SaveImages.php as below:

Or download the attached file below and overwrite the current file on your site. 

If you have any other question or concern, please feel free to contact us. We'd be happy to support!

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article