Skip to content

Commit

Permalink
security: update if file extension is executable when uploading files
Browse files Browse the repository at this point in the history
  • Loading branch information
streamtw committed Nov 15, 2023
1 parent 379dbda commit bd84899
Show file tree
Hide file tree
Showing 3 changed files with 18 additions and 2 deletions.
4 changes: 3 additions & 1 deletion src/LfmPath.php
Original file line number Diff line number Diff line change
Expand Up @@ -253,7 +253,9 @@ public function validateUploadedFile($file)
$validator->nameIsNotDuplicate($this->getNewName($file), $this);
}

$validator->isNotExcutable(config('lfm.disallowed_mimetypes', ['text/x-php', 'text/html', 'text/plain']));
$validator->mimetypeIsNotExcutable(config('lfm.disallowed_mimetypes', ['text/x-php', 'text/html', 'text/plain']));

$validator->extensionIsNotExcutable(config('lfm.disallowed_extensions', ['php', 'html']));

if (config('lfm.should_validate_mime', false)) {
$validator->mimeTypeIsValid($this->helper->availableMimeTypes());
Expand Down
13 changes: 12 additions & 1 deletion src/LfmUploadValidator.php
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ public function nameIsNotDuplicate($new_file_name, LfmPath $lfm_path)
return $this;
}

public function isNotExcutable($excutable_mimetypes)
public function mimetypeIsNotExcutable($excutable_mimetypes)
{
$mimetype = $this->file->getMimeType();

Expand All @@ -72,6 +72,17 @@ public function isNotExcutable($excutable_mimetypes)
return $this;
}

public function extensionIsNotExcutable($excutable_extensions)
{
$extension = $this->file->getClientOriginalExtension();

if (in_array($extension, $excutable_extensions)) {
throw new ExcutableFileException();
}

return $this;
}

public function mimeTypeIsValid($available_mime_types)
{
$mimetype = $this->file->getMimeType();
Expand Down
3 changes: 3 additions & 0 deletions src/config/lfm.php
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,9 @@
// mimetypes of executables to prevent from uploading
'disallowed_mimetypes' => ['text/x-php', 'text/html', 'text/plain'],

// extensions of executables to prevent from uploading
'disallowed_extensions' => ['php', 'html'],

// Item Columns
'item_columns' => ['name', 'url', 'time', 'icon', 'is_file', 'is_image', 'thumb_url'],

Expand Down

0 comments on commit bd84899

Please sign in to comment.