security fix: avoid excutable files being uploaded

UniSharp · Nov 16, 2020 · 3420259 · 3420259
1 parent 8d8a7de
commit 3420259
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/src/LfmPath.php b/src/LfmPath.php
@@ -209,7 +209,7 @@ public function sortByColumn($arr_items)
 
     public function error($error_type, $variables = [])
     {
-        return $this->helper->error($error_type, $variables);
+        throw new \Exception($this->helper->error($error_type, $variables));
     }
 
     // Upload section
@@ -250,8 +250,15 @@ private function uploadValidator($file)
             return $this->error('file-exist');
         }
 
+        $mimetype = $file->getMimeType();
+
+        $excutable = ['text/x-php'];
+
+        if (in_array($mimetype, $excutable)) {
+            throw new \Exception('Invalid file detected');
+        }
+
         if (config('lfm.should_validate_mime', false)) {
-            $mimetype = $file->getMimeType();
             if (false === in_array($mimetype, $this->helper->availableMimeTypes())) {
                 return $this->error('mime') . $mimetype;
             }