Skip to content

Fix RCE: Block PHP extension upload #14

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Sep 16, 2020
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Block from uploading PHP files to elFinder
  • Loading branch information
stypr authored Sep 15, 2020
commit e4ef00677ed52f9e5a5fcfcb56b797f5412b5d59
12 changes: 11 additions & 1 deletion cms/soycms/js/elfinder/php/connector.php
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,17 @@ function access($attr, $path, $data, $volume, $isDir, $relpath) {
'uploadDeny' => array('all'), // All Mimetypes not allowed to upload
'uploadAllow' => array('image', 'text/plain', 'text/css', 'application/zip', 'application/epub+zip','application/pdf'),// Mimetype `image` and `text/plain` allowed to upload
'uploadOrder' => array('deny', 'allow'), // allowed Mimetype `image` and `text/plain` only
'accessControl' => 'access' // disable and hide dot starting files (OPTIONAL)
'accessControl' => 'access', // disable and hide dot starting files (OPTIONAL)
'attributes' => array(
//フロントコントローラー
array(
'pattern' => '/\\.php(\\.old(\\.[0-9][0-9])?)?$/',
'read' => false,
'write' => false,
'locked' => true,
'hidden' => true,
),
)
),
)
);
Expand Down