File uploads: Hard-code common PHP file extensions exclusion

--HG-- branch : 3.16
gunet · May 17, 2024 · 4449cf8 · 4449cf8
1 parent 6b1a327
commit 4449cf8
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/include/lib/fileUploadLib.inc.php b/include/lib/fileUploadLib.inc.php
@@ -541,6 +541,11 @@ function isWhitelistAllowed($filename) {
 
     $whitelist = explode(',', preg_replace('/\s+/', '', $wh)); // strip any whitespace
 
+    // Hard-code common PHP file extensions exclusion
+    if (preg_match('/\.(php.?|phtml|phar)$/i', $filename)) {
+        return false;
+    }
+
     if (in_array('*', $whitelist)) {
         return true;
     }