security: update if file extension is executable when uploading files

streamtw · streamtw · commit bd84899ce65a · 2023-11-15T17:23:41.000+08:00
diff --git a/src/LfmPath.php b/src/LfmPath.php
@@ -253,7 +253,9 @@ public function validateUploadedFile($file)
             $validator->nameIsNotDuplicate($this->getNewName($file), $this);
         }
 
-        $validator->isNotExcutable(config('lfm.disallowed_mimetypes', ['text/x-php', 'text/html', 'text/plain']));
+        $validator->mimetypeIsNotExcutable(config('lfm.disallowed_mimetypes', ['text/x-php', 'text/html', 'text/plain']));
+
+        $validator->extensionIsNotExcutable(config('lfm.disallowed_extensions', ['php', 'html']));
 
         if (config('lfm.should_validate_mime', false)) {
             $validator->mimeTypeIsValid($this->helper->availableMimeTypes());
diff --git a/src/LfmUploadValidator.php b/src/LfmUploadValidator.php
@@ -61,7 +61,7 @@ public function nameIsNotDuplicate($new_file_name, LfmPath $lfm_path)
         return $this;
     }
 
-    public function isNotExcutable($excutable_mimetypes)
+    public function mimetypeIsNotExcutable($excutable_mimetypes)
     {
         $mimetype = $this->file->getMimeType();
 
@@ -72,6 +72,17 @@ public function isNotExcutable($excutable_mimetypes)
         return $this;
     }
 
+    public function extensionIsNotExcutable($excutable_extensions)
+    {
+        $extension = $this->file->getClientOriginalExtension();
+
+        if (in_array($extension, $excutable_extensions)) {
+            throw new ExcutableFileException();
+        }
+
+        return $this;
+    }
+
     public function mimeTypeIsValid($available_mime_types)
     {
         $mimetype = $this->file->getMimeType();
diff --git a/src/config/lfm.php b/src/config/lfm.php
@@ -116,6 +116,9 @@
     // mimetypes of executables to prevent from uploading
     'disallowed_mimetypes' => ['text/x-php', 'text/html', 'text/plain'],
 
+    // extensions of executables to prevent from uploading
+    'disallowed_extensions' => ['php', 'html'],
+
     // Item Columns
     'item_columns' => ['name', 'url', 'time', 'icon', 'is_file', 'is_image', 'thumb_url'],
 

Original file line number	Diff line number	Diff line change
`@@ -253,7 +253,9 @@ public function validateUploadedFile($file)`
`253`	`253`	`$validator->nameIsNotDuplicate($this->getNewName($file), $this);`
`254`	`254`	`}`
`255`	`255`
`256`		`- $validator->isNotExcutable(config('lfm.disallowed_mimetypes', ['text/x-php', 'text/html', 'text/plain']));`
	`256`	`+ $validator->mimetypeIsNotExcutable(config('lfm.disallowed_mimetypes', ['text/x-php', 'text/html', 'text/plain']));`
	`257`	`+`
	`258`	`+ $validator->extensionIsNotExcutable(config('lfm.disallowed_extensions', ['php', 'html']));`
`257`	`259`
`258`	`260`	`if (config('lfm.should_validate_mime', false)) {`
`259`	`261`	`$validator->mimeTypeIsValid($this->helper->availableMimeTypes());`
Original file line number	Diff line number	Diff line change
`@@ -61,7 +61,7 @@ public function nameIsNotDuplicate($new_file_name, LfmPath $lfm_path)`
`61`	`61`	`return $this;`
`62`	`62`	`}`
`63`	`63`
`64`		`- public function isNotExcutable($excutable_mimetypes)`
	`64`	`+ public function mimetypeIsNotExcutable($excutable_mimetypes)`
`65`	`65`	`{`
`66`	`66`	`$mimetype = $this->file->getMimeType();`
`67`	`67`
`@@ -72,6 +72,17 @@ public function isNotExcutable($excutable_mimetypes)`
`72`	`72`	`return $this;`
`73`	`73`	`}`
`74`	`74`
	`75`	`+ public function extensionIsNotExcutable($excutable_extensions)`
	`76`	`+ {`
	`77`	`+ $extension = $this->file->getClientOriginalExtension();`
	`78`	`+`
	`79`	`+ if (in_array($extension, $excutable_extensions)) {`
	`80`	`+ throw new ExcutableFileException();`
	`81`	`+ }`
	`82`	`+`
	`83`	`+ return $this;`
	`84`	`+ }`
	`85`	`+`
`75`	`86`	`public function mimeTypeIsValid($available_mime_types)`
`76`	`87`	`{`
`77`	`88`	`$mimetype = $this->file->getMimeType();`