Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make sure accept_file_types is an INDEXED array, and disallow certain filetypes to be whitelisted #7768

Merged
merged 10 commits into from Apr 11, 2019
Blacklist some common PHP file extensions
  • Loading branch information
bobdenotter committed Apr 3, 2019
commit 91187aef36363a870d60b0a3c1bf8507af34c9e4
4 changes: 4 additions & 0 deletions src/Config.php
Expand Up @@ -308,6 +308,10 @@ protected function parseGeneral()
// as a regex-like string, and we switched to an array. If we find the old style, fall back to the defaults.
unset($general['accept_file_types']);
}

// Just.. Say no to these.
JarJak marked this conversation as resolved.
Show resolved Hide resolved
$general['accept_file_types'] = array_diff($general['accept_file_types'], ['sh', 'asp', 'cgi', 'php', 'php3', 'ph3', 'php4', 'ph4', 'php5', 'ph5' ,'phtm', 'phtml']);
xiaohutai marked this conversation as resolved.
Show resolved Hide resolved

// accept uppercase and lowercase file extensions.
$general['accept_file_types'] = array_values(
JarJak marked this conversation as resolved.
Show resolved Hide resolved
array_unique(
Expand Down