Skip to content
Permalink
Browse files
Fixed critical upload vulnerability (#552)
Co-authored-by: Nicholas Ferreira <nickguitar.dll@hotmail.com>
  • Loading branch information
Nickguitar and Nicholas Ferreira committed Nov 10, 2021
1 parent 8c82b8a commit b1af3bde1f68bec1c703ad66a3e390f15ed8ebe1
Showing with 9 additions and 3 deletions.
  1. +9 −3 lib/FileUtility.php
@@ -184,11 +184,17 @@ public static function makeSafeFilename($filename)

/* Is the file extension safe? */
$fileExtension = self::getFileExtension($filename);
if (in_array($fileExtension, $GLOBALS['badFileExtensions']))

/* Use a whitelist instead of a blacklist to prevent possible bypasses */
if (!preg_match("/(?i)\.(pdf|docx?|rtf|odt?g?|txt|wpd|jpe?g|png|csv|xlsx?|ppt|msg|heic|tiff?|html?|bmp|wps|xps)$/i", $fileExtension))
{
$filename .= ".txt";
}
/* if (in_array($fileExtension, $GLOBALS['badFileExtensions']))
{
$filename .= '.txt';
}

*/
return $filename;
}

@@ -563,7 +569,7 @@ public static function getUploadFileFromPost($siteID, $subDirectory, $id)
if (!eval(Hooks::get('FILE_UTILITY_SPACE_CHECK'))) return;

$uploadPath = FileUtility::getUploadPath($siteID, $subDirectory);
$newFileName = $_FILES[$id]['name'];
$newFileName = FileUtility::makeSafeFilename($_FILES[$id]['name']);

// Could just while(file_exists) it, but I'm paranoid of infinate loops
// Shouldn't have 1000 files of the same name anyway

0 comments on commit b1af3bd

Please sign in to comment.