add additional security check for uploading files

Cockpit-HQ · Mar 17, 2023 · 984ef9a · 984ef9a
1 parent ae97fc8
commit 984ef9a
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/modules/Assets/bootstrap.php b/modules/Assets/bootstrap.php
@@ -81,7 +81,7 @@
                 $_sizeAllowed = $max_size ? filesize($files['tmp_name'][$i]) < $max_size : true;
 
                 // prevent uploading php files
-                if ($_isAllowed && pathinfo($_file, PATHINFO_EXTENSION) === 'php') {
+                if ($_isAllowed && in_array(strtolower(pathinfo($_file, PATHINFO_EXTENSION)), ['php', 'phar', 'phtml'])) {
                     $_isAllowed = false;
                 }
 

diff --git a/modules/Finder/Controller/Finder.php b/modules/Finder/Controller/Finder.php
@@ -427,7 +427,7 @@ protected function _isFileTypeAllowed($file) {
 
         $allowed = trim($this->app->retrieve('finder.allowed_uploads', '*'));
 
-        if (strtolower(pathinfo($file, PATHINFO_EXTENSION)) == 'php' && !$this->helper('acl')->isSuperAdmin()) {
+        if (in_array(strtolower(pathinfo($file, PATHINFO_EXTENSION)), ['php', 'phar', 'phtml']) && !$this->helper('acl')->isSuperAdmin()) {
             return false;
         }