From 34202590a88ecfc598c6dc70dae8b306710d4df2 Mon Sep 17 00:00:00 2001
From: Stream <g0110280@gmail.com>
Date: Mon, 16 Nov 2020 18:51:46 +0800
Subject: [PATCH] security fix: avoid excutable files being uploaded

---
 src/LfmPath.php | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/LfmPath.php b/src/LfmPath.php
index e0d7641d..9c57dd8e 100644
--- a/src/LfmPath.php
+++ b/src/LfmPath.php
@@ -209,7 +209,7 @@ public function sortByColumn($arr_items)
 
     public function error($error_type, $variables = [])
     {
-        return $this->helper->error($error_type, $variables);
+        throw new \Exception($this->helper->error($error_type, $variables));
     }
 
     // Upload section
@@ -250,8 +250,15 @@ private function uploadValidator($file)
             return $this->error('file-exist');
         }
 
+        $mimetype = $file->getMimeType();
+
+        $excutable = ['text/x-php'];
+
+        if (in_array($mimetype, $excutable)) {
+            throw new \Exception('Invalid file detected');
+        }
+
         if (config('lfm.should_validate_mime', false)) {
-            $mimetype = $file->getMimeType();
             if (false === in_array($mimetype, $this->helper->availableMimeTypes())) {
                 return $this->error('mime') . $mimetype;
             }