Prevent uploading php files in assets manager

Cockpit-HQ · Mar 10, 2023 · becca80 · becca80
1 parent 69ec57c
commit becca80
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Release Notes
 
+## WIP
+
+- Prevent uploading php files in assets manager
+
 ## 2.4.0 (2023-03-08)
 
 - Add additional security check editing php files in finder

diff --git a/modules/Assets/bootstrap.php b/modules/Assets/bootstrap.php
@@ -80,6 +80,11 @@
                 $_isAllowed = $allowed === true ? true : preg_match("/\.({$allowed})$/i", $_file);
                 $_sizeAllowed = $max_size ? filesize($files['tmp_name'][$i]) < $max_size : true;
 
+                // prevent uploading php files
+                if ($_isAllowed && pathinfo($_file, PATHINFO_EXTENSION) === 'php') {
+                    $_isAllowed = false;
+                }
+
                 if (!$files['error'][$i] && $_isAllowed && $_sizeAllowed && move_uploaded_file($files['tmp_name'][$i], $_file)) {
 
                     $_files[]   = $_file;