Skip to content

Commit

Permalink
security: prevent executables from being uploaded
Browse files Browse the repository at this point in the history
  • Loading branch information
streamtw committed May 15, 2022
1 parent 908ff8e commit 9e90227
Show file tree
Hide file tree
Showing 3 changed files with 6 additions and 5 deletions.
2 changes: 1 addition & 1 deletion src/LfmPath.php
Original file line number Diff line number Diff line change
Expand Up @@ -253,7 +253,7 @@ public function validateUploadedFile($file)
$validator->nameIsNotDuplicate($this->getNewName($file), $this);
}

$validator->isNotExcutable();
$validator->isNotExcutable(config('lfm.disallowed_mimetypes', ['text/x-php', 'text/html', 'text/plain']));

if (config('lfm.should_validate_mime', false)) {
$validator->mimeTypeIsValid($this->helper->availableMimeTypes());
Expand Down
6 changes: 2 additions & 4 deletions src/LfmUploadValidator.php
Original file line number Diff line number Diff line change
Expand Up @@ -61,13 +61,11 @@ public function nameIsNotDuplicate($new_file_name, LfmPath $lfm_path)
return $this;
}

public function isNotExcutable()
public function isNotExcutable($excutable_mimetypes)
{
$mimetype = $this->file->getMimeType();

$excutable = ['text/x-php'];

if (in_array($mimetype, $excutable)) {
if (in_array($mimetype, $excutable_mimetypes)) {
throw new ExcutableFileException();
}

Expand Down
3 changes: 3 additions & 0 deletions src/config/lfm.php
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,9 @@
// setting it to false show `error-file-exist` error and stop upload
'over_write_on_duplicate' => false,

// mimetypes of executables to prevent from uploading
'disallowed_mimetypes' => ['text/x-php', 'text/html', 'text/plain'],

// Item Columns
'item_columns' => ['name', 'url', 'time', 'icon', 'is_file', 'is_image', 'thumb_url'],

Expand Down

1 comment on commit 9e90227

@mafftor
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why have you added disallowed mime types? If we have an allowed list of types, is everything that is not in the list disallowed by default?

Please sign in to comment.