Skip to content
This repository was archived by the owner on Jan 25, 2021. It is now read-only.

Commit 5a569d4

Browse files
bastianallgeierbastianallgeier
committed
Prevent phar upload in file upload validation
1 parent e14048c commit 5a569d4

File tree

1 file changed

+9
-9
lines changed

1 file changed

+9
-9
lines changed

app/src/panel/models/page/uploader.php

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
<?php
1+
<?php
22

33
namespace Kirby\Panel\Models\Page;
44

@@ -27,7 +27,7 @@ public function __construct($page, $file = null) {
2727
if($this->file) {
2828
$this->replace();
2929
} else {
30-
$this->upload();
30+
$this->upload();
3131
}
3232

3333
}
@@ -55,7 +55,7 @@ public function upload() {
5555
// create the initial meta file
5656
// without triggering the update hook
5757
try {
58-
$file->createMeta(false);
58+
$file->createMeta(false);
5959
} catch(Exception $e) {
6060
// don't react on meta errors
6161
// the meta file can still be generated later
@@ -64,13 +64,13 @@ public function upload() {
6464
// make sure that the file is being marked as updated
6565
touch($file->root());
6666

67-
kirby()->trigger($event, $file);
67+
kirby()->trigger($event, $file);
6868

6969
}
7070

7171
public function replace() {
7272

73-
$file = $this->file;
73+
$file = $this->file;
7474
$upload = new Upload($file->root(), array(
7575
'overwrite' => true,
7676
'accept' => function($upload) use($file) {
@@ -135,7 +135,7 @@ public function move($upload, $event) {
135135
public function checkUpload($file) {
136136

137137
$filesettings = $this->blueprint->files();
138-
$forbiddenExtensions = array('php', 'html', 'htm', 'exe', kirby()->option('content.file.extension', 'txt'));
138+
$forbiddenExtensions = array('php', 'phar', 'html', 'htm', 'exe', kirby()->option('content.file.extension', 'txt'));
139139
$forbiddenMimes = array_merge(f::$mimes['php'], array('text/html', 'application/x-msdownload'));
140140
$extension = strtolower($file->extension());
141141

@@ -150,7 +150,7 @@ public function checkUpload($file) {
150150
}
151151

152152
// especially block any connection that contains php
153-
if(str::contains($extension, 'php')) {
153+
if(str::contains($extension, 'php') || str::contains($extension, 'phar')) {
154154
throw new Exception(l('files.add.error.extension.forbidden'));
155155
}
156156

@@ -187,8 +187,8 @@ public function checkUpload($file) {
187187
// Files blueprint option 'height'
188188
if($file->type() == 'image' and $filesettings->height() and $file->height() > $filesettings->height()) {
189189
throw new Exception('Page only allows image height of ' . $filesettings->height().'px');
190-
}
190+
}
191191

192192
}
193193

194-
}
194+
}

0 commit comments

Comments
 (0)