Implement a whitelist for allowed file extensions #1110

adm_program/system/classes/TableFile.php

@@ -89,6 +89,21 @@ public function __construct(Database $database, $filId = 0)
         parent::__construct($database, TBL_FILES, 'fil', $filId);
     }
 
+    /**
+     * Check if the file extension of the current file format is allowed for upload and the
+     * documents and files module.
+     * @return bool Return true if the file extension is allowed to be used within Admidio.
+     */
+    public function allowedFileExtension()
+    {
+        if(array_key_exists($this->getFileExtension(), $this->iconFileExtension))
+        {
+            return true;
+        }
+
+        return false;
+    }
+
     /**
      * Deletes the selected record of the table and the associated file in the file system.
      * After that the class will be initialize.

adm_program/system/classes/UploadHandlerDownload.php

@@ -55,7 +55,7 @@ protected function handle_file_upload($uploadedFile, $name, $size, $type, $error
                 }
 
                 // check filename and throw exception if something is wrong
-                StringUtils::strIsValidFileName($file->name);
+                StringUtils::strIsValidFileName($file->name, false);
 
                 // replace invalid characters in filename
                 $file->name = FileSystemUtils::removeInvalidCharsInFilename($file->name);
@@ -70,6 +70,12 @@ protected function handle_file_upload($uploadedFile, $name, $size, $type, $error
                 $newFile->setValue('fil_name', $file->name);
                 $newFile->setValue('fil_locked', $targetFolder->getValue('fol_locked'));
                 $newFile->setValue('fil_counter', 0);
+
+                if(!$newFile->allowedFileExtension())
+                {
+                    throw new AdmException('SYS_FILE_EXTENSION_INVALID');
+                }
+
                 $newFile->save();
 
                 // Benachrichtigungs-Email für neue Einträge

adm_program/system/classes/UploadHandlerPhoto.php

@@ -54,7 +54,7 @@ protected function handle_file_upload($uploadedFile, $name, $size, $type, $error
                 $albumFolder  = ADMIDIO_PATH . FOLDER_DATA . '/photos/' . $photoAlbum->getValue('pho_begin', 'Y-m-d') . '_' . (int) $photoAlbum->getValue('pho_id');
 
                 // check filename and throw exception if something is wrong
-                StringUtils::strIsValidFileName($file->name);
+                StringUtils::strIsValidFileName($file->name, false);
 
                 // replace invalid characters in filename
                 $file->name = FileSystemUtils::removeInvalidCharsInFilename($file->name);