security: prevent executables from being uploaded

UniSharp · May 15, 2022 · 9e90227 · 9e90227 · mafftor · Feb 21, 2023
1 parent 908ff8e
commit 9e90227
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 5 deletions.
diff --git a/src/LfmPath.php b/src/LfmPath.php
@@ -253,7 +253,7 @@ public function validateUploadedFile($file)
             $validator->nameIsNotDuplicate($this->getNewName($file), $this);
         }
 
-        $validator->isNotExcutable();
+        $validator->isNotExcutable(config('lfm.disallowed_mimetypes', ['text/x-php', 'text/html', 'text/plain']));
 
         if (config('lfm.should_validate_mime', false)) {
             $validator->mimeTypeIsValid($this->helper->availableMimeTypes());

diff --git a/src/LfmUploadValidator.php b/src/LfmUploadValidator.php
@@ -61,13 +61,11 @@ public function nameIsNotDuplicate($new_file_name, LfmPath $lfm_path)
         return $this;
     }
 
-    public function isNotExcutable()
+    public function isNotExcutable($excutable_mimetypes)
     {
         $mimetype = $this->file->getMimeType();
 
-        $excutable = ['text/x-php'];
-
-        if (in_array($mimetype, $excutable)) {
+        if (in_array($mimetype, $excutable_mimetypes)) {
             throw new ExcutableFileException();
         }
 

diff --git a/src/config/lfm.php b/src/config/lfm.php
@@ -113,6 +113,9 @@
     // setting it to false show `error-file-exist` error and stop upload
     'over_write_on_duplicate'  => false,
 
+    // mimetypes of executables to prevent from uploading
+    'disallowed_mimetypes' => ['text/x-php', 'text/html', 'text/plain'],
+
     // Item Columns
     'item_columns' => ['name', 'url', 'time', 'icon', 'is_file', 'is_image', 'thumb_url'],