security: update if file extension is executable when uploading files

src/LfmPath.php

@@ -253,7 +253,9 @@ public function validateUploadedFile($file)
             $validator->nameIsNotDuplicate($this->getNewName($file), $this);
         }
 
-        $validator->isNotExcutable(config('lfm.disallowed_mimetypes', ['text/x-php', 'text/html', 'text/plain']));
+        $validator->mimetypeIsNotExcutable(config('lfm.disallowed_mimetypes', ['text/x-php', 'text/html', 'text/plain']));
+
+        $validator->extensionIsNotExcutable(config('lfm.disallowed_extensions', ['php', 'html']));
 
         if (config('lfm.should_validate_mime', false)) {
             $validator->mimeTypeIsValid($this->helper->availableMimeTypes());

src/LfmUploadValidator.php

@@ -61,7 +61,7 @@ public function nameIsNotDuplicate($new_file_name, LfmPath $lfm_path)
         return $this;
     }
 
-    public function isNotExcutable($excutable_mimetypes)
+    public function mimetypeIsNotExcutable($excutable_mimetypes)
     {
         $mimetype = $this->file->getMimeType();
 
@@ -72,6 +72,17 @@ public function isNotExcutable($excutable_mimetypes)
         return $this;
     }
 
+    public function extensionIsNotExcutable($excutable_extensions)
+    {
+        $extension = $this->file->getClientOriginalExtension();
+
+        if (in_array($extension, $excutable_extensions)) {
+            throw new ExcutableFileException();
+        }
+
+        return $this;
+    }
+
     public function mimeTypeIsValid($available_mime_types)
     {
         $mimetype = $this->file->getMimeType();

src/config/lfm.php

@@ -116,6 +116,9 @@
     // mimetypes of executables to prevent from uploading
     'disallowed_mimetypes' => ['text/x-php', 'text/html', 'text/plain'],
 
+    // extensions of executables to prevent from uploading
+    'disallowed_extensions' => ['php', 'html'],
+
     // Item Columns
     'item_columns' => ['name', 'url', 'time', 'icon', 'is_file', 'is_image', 'thumb_url'],