From 9cd4eee393028aa4cab70fcbac284b0028c0bc95 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20B=C3=B6hmer?= <jan.h.boehmer@gmx.de>
Date: Wed, 2 Mar 2022 00:36:31 +0100
Subject: [PATCH] Disallow uploading of potentially unsafe file extensions.

---
 inc/lib.php | 20 +++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/inc/lib.php b/inc/lib.php
index f7894968e..4b6d6c98b 100644
--- a/inc/lib.php
+++ b/inc/lib.php
@@ -249,6 +249,18 @@ function sendString($content, $filename, $mimetype)
     exit;
 }
 
+/**
+ * Gets the file extension from a filename
+ *
+ * @param string    $filename The filename
+ * @return string The extension of the file
+ */
+function getExtensionFromFileName($filename)
+{
+    $tmp = explode('.', $filename);
+    return end($tmp);
+}
+
 /**
  * Upload a file (from "<input type="file">) to a directory on the server
  *
@@ -266,13 +278,15 @@ function sendString($content, $filename, $mimetype)
  */
 function uploadFile($file_array, $destination_directory, $destination_filename = null)
 {
+    $unsafe_extensions = ['php', 'phtml', 'php3', 'ph3', 'php4', 'ph4', 'php5', 'ph5', 'phtm', 'sh', 'asp', 'cgi', 'py', 'pl', 'exe', 'aspx'];
+
     if ((! isset($file_array['name'])) || (! isset($file_array['tmp_name'])) || (! isset($file_array['error']))) {
         throw new Exception(_('Ungültiges Array übergeben!'));
     }
 
-    //Dont allow to upload a PHP file.
-    if(strpos($file_array['name'], ".php") != false
-        || strpos($destination_filename, ".php") != false)
+    //Dont allow upload of files with potentially dangerous extension
+    if (in_array(getExtensionFromFileName($file_array['name']), $unsafe_extensions)
+        || in_array(getExtensionFromFileName($destination_filename), $unsafe_extensions))
     {
         throw new \Exception(_("Es ist nicht erlaubt PHP Dateien hochzuladen!"));
     }