Skip to content
This repository has been archived by the owner on Jan 25, 2021. It is now read-only.

Commit

Permalink
Prevent phar upload in file upload validation
Browse files Browse the repository at this point in the history
  • Loading branch information
@bastianallgeier
bastianallgeier committed Dec 1, 2020
1 parent e14048c commit 5a569d4
Showing 1 changed file with 9 additions and 9 deletions.
18 changes: 9 additions & 9 deletions app/src/panel/models/page/uploader.php
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
<?php
<?php

namespace Kirby\Panel\Models\Page;

Expand Down Expand Up @@ -27,7 +27,7 @@ public function __construct($page, $file = null) {
if($this->file) {
$this->replace();
} else {
$this->upload();
$this->upload();
}

}
Expand Down Expand Up @@ -55,7 +55,7 @@ public function upload() {
// create the initial meta file
// without triggering the update hook
try {
$file->createMeta(false);
$file->createMeta(false);
} catch(Exception $e) {
// don't react on meta errors
// the meta file can still be generated later
Expand All @@ -64,13 +64,13 @@ public function upload() {
// make sure that the file is being marked as updated
touch($file->root());

kirby()->trigger($event, $file);
kirby()->trigger($event, $file);

}

public function replace() {

$file = $this->file;
$file = $this->file;
$upload = new Upload($file->root(), array(
'overwrite' => true,
'accept' => function($upload) use($file) {
Expand Down Expand Up @@ -135,7 +135,7 @@ public function move($upload, $event) {
public function checkUpload($file) {

$filesettings = $this->blueprint->files();
$forbiddenExtensions = array('php', 'html', 'htm', 'exe', kirby()->option('content.file.extension', 'txt'));
$forbiddenExtensions = array('php', 'phar', 'html', 'htm', 'exe', kirby()->option('content.file.extension', 'txt'));
$forbiddenMimes = array_merge(f::$mimes['php'], array('text/html', 'application/x-msdownload'));
$extension = strtolower($file->extension());

Expand All @@ -150,7 +150,7 @@ public function checkUpload($file) {
}

// especially block any connection that contains php
if(str::contains($extension, 'php')) {
if(str::contains($extension, 'php') || str::contains($extension, 'phar')) {
throw new Exception(l('files.add.error.extension.forbidden'));
}

Expand Down Expand Up @@ -187,8 +187,8 @@ public function checkUpload($file) {
// Files blueprint option 'height'
if($file->type() == 'image' and $filesettings->height() and $file->height() > $filesettings->height()) {
throw new Exception('Page only allows image height of ' . $filesettings->height().'px');
}
}

}

}
}

0 comments on commit 5a569d4

Please sign in to comment.