Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix RCE: Block PHP extension upload #14

Merged
merged 2 commits into from Sep 16, 2020
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
Next
Block from uploading PHP files to elFinder
  • Loading branch information
stypr committed Sep 15, 2020
commit e4ef00677ed52f9e5a5fcfcb56b797f5412b5d59
12 changes: 11 additions & 1 deletion cms/soycms/js/elfinder/php/connector.php
Expand Up @@ -153,7 +153,17 @@ function access($attr, $path, $data, $volume, $isDir, $relpath) {
'uploadDeny' => array('all'), // All Mimetypes not allowed to upload
'uploadAllow' => array('image', 'text/plain', 'text/css', 'application/zip', 'application/epub+zip','application/pdf'),// Mimetype `image` and `text/plain` allowed to upload
'uploadOrder' => array('deny', 'allow'), // allowed Mimetype `image` and `text/plain` only
'accessControl' => 'access' // disable and hide dot starting files (OPTIONAL)
'accessControl' => 'access', // disable and hide dot starting files (OPTIONAL)
'attributes' => array(
//フロントコントローラー
array(
'pattern' => '/\\.php(\\.old(\\.[0-9][0-9])?)?$/',
'read' => false,
'write' => false,
'locked' => true,
'hidden' => true,
),
)
),
)
);
Expand Down