From becca806c7071ecc732521bb5ad0bb9c64299592 Mon Sep 17 00:00:00 2001
From: Artur Heinze <artur@agentejo.com>
Date: Fri, 10 Mar 2023 11:23:51 +0100
Subject: [PATCH] Prevent uploading php files in assets manager

---
 CHANGELOG.md                 | 4 ++++
 modules/Assets/bootstrap.php | 5 +++++
 2 files changed, 9 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3e35019d..bf87dcf2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Release Notes
 
+## WIP
+
+- Prevent uploading php files in assets manager
+
 ## 2.4.0 (2023-03-08)
 
 - Add additional security check editing php files in finder
diff --git a/modules/Assets/bootstrap.php b/modules/Assets/bootstrap.php
index 185b2ba4..e1c529f4 100644
--- a/modules/Assets/bootstrap.php
+++ b/modules/Assets/bootstrap.php
@@ -80,6 +80,11 @@
                 $_isAllowed = $allowed === true ? true : preg_match("/\.({$allowed})$/i", $_file);
                 $_sizeAllowed = $max_size ? filesize($files['tmp_name'][$i]) < $max_size : true;
 
+                // prevent uploading php files
+                if ($_isAllowed && pathinfo($_file, PATHINFO_EXTENSION) === 'php') {
+                    $_isAllowed = false;
+                }
+
                 if (!$files['error'][$i] && $_isAllowed && $_sizeAllowed && move_uploaded_file($files['tmp_name'][$i], $_file)) {
 
                     $_files[]   = $_file;