From 33eb4cc0f80c1f86388c1862a8aee1061fa5d72e Mon Sep 17 00:00:00 2001
From: Bozhidar Slaveykov <bobi@microweber.com>
Date: Fri, 11 Mar 2022 15:27:10 +0200
Subject: [PATCH] make plupload only allowed files

---
 .../App/functions/plupload.php                |  4 +--
 src/MicroweberPackages/Utils/System/Files.php | 32 +++++++++++++++++--
 2 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/src/MicroweberPackages/App/functions/plupload.php b/src/MicroweberPackages/App/functions/plupload.php
index 804f29f9683..501045045f8 100644
--- a/src/MicroweberPackages/App/functions/plupload.php
+++ b/src/MicroweberPackages/App/functions/plupload.php
@@ -56,9 +56,9 @@
 $is_ext = get_file_extension($fileName_ext);
 $is_ext = strtolower($is_ext);
 
-$is_dangerous_file = $files_utils->is_dangerous_file($fileName_ext);
+$is_allowed_file = $files_utils->is_allowed_file($fileName_ext);
 
-if ($is_dangerous_file) {
+if ($is_allowed_file == false) {
     header("HTTP/1.1 401 Unauthorized");
 
     die('{"jsonrpc" : "2.0", "error" : {"code":100, "message": "You cannot upload scripts or executable files"}}');
diff --git a/src/MicroweberPackages/Utils/System/Files.php b/src/MicroweberPackages/Utils/System/Files.php
index 12b120ab4a8..49569f65861 100644
--- a/src/MicroweberPackages/Utils/System/Files.php
+++ b/src/MicroweberPackages/Utils/System/Files.php
@@ -1020,7 +1020,7 @@ function get_dangerous_files_extentions()
             'private',
             'srl',
             'zhtml',
-            'vbhtml', 
+            'vbhtml',
             'hypetemplate',
             'obml15',
             'hypesymbol',
@@ -1109,6 +1109,28 @@ public function is_dangerous_file($file_name)
 
     }
 
+    public function is_allowed_file($fileName)
+    {
+        $allowedImages = $this->get_allowed_files_extensions_for_upload('images');
+        $allowedVideos = $this->get_allowed_files_extensions_for_upload('videos');
+        $allowedAudios = $this->get_allowed_files_extensions_for_upload('audios');
+        $allowedFiles = $this->get_allowed_files_extensions_for_upload('files');
+        $allowedDocuments = $this->get_allowed_files_extensions_for_upload('documents');
+        $allowedArchives = $this->get_allowed_files_extensions_for_upload('archives');
+
+        $allowed = array_merge_recursive($allowedImages,$allowedVideos,$allowedAudios,$allowedFiles,$allowedDocuments,$allowedArchives);
+
+        $isExt = get_file_extension($fileName);
+        $isExt = strtolower($isExt);
+
+        if (in_array($isExt, $allowed)) {
+            return true;
+        }
+
+        return false;
+    }
+
+
 
     function get_allowed_files_extensions_for_upload($fileTypes = 'images')
     {
@@ -1119,11 +1141,15 @@ function get_allowed_files_extensions_for_upload($fileTypes = 'images')
             case 'img':
             case 'image':
             case 'images':
-                $are_allowed .= ',png,gif,jpg,jpeg,tiff,bmp,svg';
+                $are_allowed .= ',png,gif,jpg,jpeg,tiff,bmp,svg,webp,ico';
+                break;
+            case 'audio':
+            case 'audios':
+                $are_allowed .= ',mp3,mp4,ogg,wav,flac';
                 break;
             case 'video':
             case 'videos':
-                $are_allowed .= ',avi,asf,mpg,mpeg,mp4,flv,mkv,webm,ogg,wma,mov,wmv';
+                $are_allowed .= ',avi,asf,mpg,mpeg,mp4,flv,mkv,webm,ogg,ogv,3gp,3g2,wma,mov,wmv';
                 break;
             case 'file':
             case 'files':