From 80ce87e4a936a3f055d306710cf21120671585ad Mon Sep 17 00:00:00 2001
From: Jeremy Angele <131715596+angelej@users.noreply.github.com>
Date: Tue, 24 Oct 2023 11:20:22 +0200
Subject: [PATCH] Update dangerous extensions (#3756)
Thanks for this!
---
system/config/security.yaml | 7 +++++++
system/src/Grav/Common/Utils.php | 4 ++--
tests/unit/Grav/Common/UtilsTest.php | 1 +
webserver-configs/Caddyfile | 4 ++--
webserver-configs/Caddyfile-0.8.x | 4 ++--
webserver-configs/htaccess.txt | 4 ++--
webserver-configs/lighttpd.conf | 2 +-
webserver-configs/nginx.conf | 4 ++--
webserver-configs/web.config | 6 +++---
9 files changed, 22 insertions(+), 14 deletions(-)
diff --git a/system/config/security.yaml b/system/config/security.yaml
index 54c7fc5225..43d3132363 100644
--- a/system/config/security.yaml
+++ b/system/config/security.yaml
@@ -32,9 +32,16 @@ xss_dangerous_tags:
- base
uploads_dangerous_extensions:
- php
+ - php2
+ - php3
+ - php4
+ - php5
- phar
+ - phtml
- html
- htm
+ - shtml
+ - shtm
- js
- exe
sanitize_svg: true
diff --git a/system/src/Grav/Common/Utils.php b/system/src/Grav/Common/Utils.php
index 378bffaff8..01623b793b 100644
--- a/system/src/Grav/Common/Utils.php
+++ b/system/src/Grav/Common/Utils.php
@@ -977,10 +977,10 @@ public static function getMimeByLocalFile($filename, $default = 'application/oct
* @param string $filename
* @return bool
*/
- public static function checkFilename($filename)
+ public static function checkFilename($filename): bool
{
$dangerous_extensions = Grav::instance()['config']->get('security.uploads_dangerous_extensions', []);
- $extension = static::pathinfo($filename, PATHINFO_EXTENSION);
+ $extension = strtolower(static::pathinfo($filename, PATHINFO_EXTENSION));
return !(
// Empty filenames are not allowed.
diff --git a/tests/unit/Grav/Common/UtilsTest.php b/tests/unit/Grav/Common/UtilsTest.php
index 6917b34c5f..0e530497cb 100644
--- a/tests/unit/Grav/Common/UtilsTest.php
+++ b/tests/unit/Grav/Common/UtilsTest.php
@@ -561,6 +561,7 @@ public function testCheckFilename(): void
$config->set('security.uploads_dangerous_extensions', ['php', 'html', 'htm', 'exe', 'js']);
self::assertFalse(Utils::checkFilename('foo.php'));
+ self::assertFalse(Utils::checkFilename('foo.PHP'));
self::assertFalse(Utils::checkFilename('bar.js'));
self::assertTrue(Utils::checkFilename('foo.json'));
diff --git a/webserver-configs/Caddyfile b/webserver-configs/Caddyfile
index 3464b5b572..cfceced3c4 100644
--- a/webserver-configs/Caddyfile
+++ b/webserver-configs/Caddyfile
@@ -16,10 +16,10 @@ php_fastcgi 127.0.0.1:9000
rewrite /(\.git|cache|bin|logs|backups|tests)/.* /403
# deny running scripts inside core system folders
-rewrite /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ /403
+rewrite /(system|vendor)/.*\.(txt|xml|md|html|htm|shtml|shtm|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$ /403
# deny running scripts inside user folder
-rewrite /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ /403
+rewrite /user/.*\.(txt|md|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$ /403
# deny access to specific files in the root folder
rewrite /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) /403
diff --git a/webserver-configs/Caddyfile-0.8.x b/webserver-configs/Caddyfile-0.8.x
index aaf92ceda8..9e977a98d0 100644
--- a/webserver-configs/Caddyfile-0.8.x
+++ b/webserver-configs/Caddyfile-0.8.x
@@ -12,12 +12,12 @@ rewrite {
}
# deny running scripts inside core system folders
rewrite {
- r /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$
+ r /(system|vendor)/.*\.(txt|xml|md|html|htm|shtml|shtm|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$
status 403
}
# deny running scripts inside user folder
rewrite {
- r /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$
+ r /user/.*\.(txt|md|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$
status 403
}
# deny access to specific files in the root folder
diff --git a/webserver-configs/htaccess.txt b/webserver-configs/htaccess.txt
index 098c582445..15436a7f5d 100644
--- a/webserver-configs/htaccess.txt
+++ b/webserver-configs/htaccess.txt
@@ -59,9 +59,9 @@ RewriteRule .* index.php [L]
# Block all direct access for these folders
RewriteRule ^(\.git|cache|bin|logs|backup|webserver-configs|tests)/(.*) error [F]
# Block access to specific file types for these system folders
-RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
+RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|htm|shtml|shtm|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$ error [F]
# Block access to specific file types for these user folders
-RewriteRule ^(user)/(.*)\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
+RewriteRule ^(user)/(.*)\.(txt|md|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$ error [F]
# Block all direct access to .md files:
RewriteRule \.md$ error [F]
# Block all direct access to files and folders beginning with a dot
diff --git a/webserver-configs/lighttpd.conf b/webserver-configs/lighttpd.conf
index f14c5a8b9b..362637dca3 100644
--- a/webserver-configs/lighttpd.conf
+++ b/webserver-configs/lighttpd.conf
@@ -33,7 +33,7 @@ $HTTP["url"] =~ "^/grav_path/(LICENSE\.txt|composer\.json|composer\.lock|nginx\.
$HTTP["url"] =~ "^/grav_path/(\.git|cache|bin|logs|backup|tests)/(.*)" {
url.access-deny = ("")
}
-$HTTP["url"] =~ "^/grav_path/(system|user|vendor)/(.*)\.(txt|md|html|json|yaml|yml|php|twig|sh|bat)$" {
+$HTTP["url"] =~ "^/grav_path/(system|user|vendor)/(.*)\.(txt|md|html|htm|shtml|shtm|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|twig|sh|bat)$" {
url.access-deny = ("")
}
$HTTP["url"] =~ "^/grav_path/(\.(.*))" {
diff --git a/webserver-configs/nginx.conf b/webserver-configs/nginx.conf
index ed109b1993..42df5e9262 100644
--- a/webserver-configs/nginx.conf
+++ b/webserver-configs/nginx.conf
@@ -20,9 +20,9 @@ server {
# deny all direct access for these folders
location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; }
# deny running scripts inside core system folders
- location ~* /(system|vendor)/.*\.(txt|xml|md|html|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
+ location ~* /(system|vendor)/.*\.(txt|xml|md|html|htm|shtml|shtm|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$ { return 403; }
# deny running scripts inside user folder
- location ~* /user/.*\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
+ location ~* /user/.*\.(txt|md|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$ { return 403; }
# deny access to specific files in the root folder
location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; }
## End - Security
diff --git a/webserver-configs/web.config b/webserver-configs/web.config
index 1c351a3b31..2127833338 100644
--- a/webserver-configs/web.config
+++ b/webserver-configs/web.config
@@ -18,7 +18,7 @@
-
+
@@ -26,11 +26,11 @@
-
+
-
+