Skip to content

Commit

Permalink
blacklist .phar extension
Browse files Browse the repository at this point in the history
  • Loading branch information
verot committed Dec 4, 2019
1 parent aae61a8 commit db1b4fe
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion src/class.upload.php
Original file line number Diff line number Diff line change
Expand Up @@ -3064,7 +3064,7 @@ function process($server_path = null) {
}
// if the file is text based, or has a dangerous extension, we rename it as .txt
if ((((substr($this->file_src_mime, 0, 5) == 'text/' && $this->file_src_mime != 'text/rtf') || strpos($this->file_src_mime, 'javascript') !== false) && (substr($file_src_name, -4) != '.txt'))
|| preg_match('/\.(php|php5|php4|php3|phtml|pl|py|cgi|asp|js)$/i', $this->file_src_name)
|| preg_match('/\.(php|php5|php4|php3|phtml|pl|py|cgi|asp|js|phar)$/i', $this->file_src_name)
|| $this->file_force_extension && empty($file_src_name_ext)) {
$this->file_src_mime = 'text/plain';
if ($this->file_src_name_ext) $file_src_name_body = $file_src_name_body . '.' . $this->file_src_name_ext;
Expand Down

0 comments on commit db1b4fe

Please # to comment.