From 5a569d4e3ddaea2b6628d7ec1472a3e8bc410881 Mon Sep 17 00:00:00 2001
From: Bastian Allgeier <mail@bastianallgeier.com>
Date: Tue, 1 Dec 2020 11:11:02 +0100
Subject: [PATCH] Prevent phar upload in file upload validation

---
 app/src/panel/models/page/uploader.php | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/app/src/panel/models/page/uploader.php b/app/src/panel/models/page/uploader.php
index ca284ecf..fba999a4 100644
--- a/app/src/panel/models/page/uploader.php
+++ b/app/src/panel/models/page/uploader.php
@@ -1,4 +1,4 @@
-<?php 
+<?php
 
 namespace Kirby\Panel\Models\Page;
 
@@ -27,7 +27,7 @@ public function __construct($page, $file = null) {
     if($this->file) {
       $this->replace();
     } else {
-      $this->upload();      
+      $this->upload();
     }
 
   }
@@ -55,7 +55,7 @@ public function upload() {
     // create the initial meta file
     // without triggering the update hook
     try {
-      $file->createMeta(false);      
+      $file->createMeta(false);
     } catch(Exception $e) {
       // don't react on meta errors
       // the meta file can still be generated later
@@ -64,13 +64,13 @@ public function upload() {
     // make sure that the file is being marked as updated
     touch($file->root());
 
-    kirby()->trigger($event, $file);          
+    kirby()->trigger($event, $file);
 
   }
 
   public function replace() {
 
-    $file   = $this->file;    
+    $file   = $this->file;
     $upload = new Upload($file->root(), array(
       'overwrite' => true,
       'accept' => function($upload) use($file) {
@@ -135,7 +135,7 @@ public function move($upload, $event) {
   public function checkUpload($file) {
 
     $filesettings        = $this->blueprint->files();
-    $forbiddenExtensions = array('php', 'html', 'htm', 'exe', kirby()->option('content.file.extension', 'txt'));
+    $forbiddenExtensions = array('php', 'phar', 'html', 'htm', 'exe', kirby()->option('content.file.extension', 'txt'));
     $forbiddenMimes      = array_merge(f::$mimes['php'], array('text/html', 'application/x-msdownload'));
     $extension           = strtolower($file->extension());
 
@@ -150,7 +150,7 @@ public function checkUpload($file) {
     }
 
     // especially block any connection that contains php
-    if(str::contains($extension, 'php')) {
+    if(str::contains($extension, 'php') || str::contains($extension, 'phar')) {
       throw new Exception(l('files.add.error.extension.forbidden'));
     }
 
@@ -187,8 +187,8 @@ public function checkUpload($file) {
     // Files blueprint option 'height'
     if($file->type() == 'image' and $filesettings->height() and $file->height() > $filesettings->height()) {
       throw new Exception('Page only allows image height of ' . $filesettings->height().'px');
-    } 
+    }
 
   }
 
-}
\ No newline at end of file
+}