Security Fix: Check Allowed Extension Types, Disallow Extension Types, and Disallow Mime Types

[Faisd405]

This pull request introduces comprehensive restrictions on disallowed file types and MIME types for uploads and archive extraction, significantly improving the security of the file manager. The changes ensure that potentially dangerous files (such as PHP scripts or executables) cannot be uploaded, created, renamed, or extracted from ZIP archives. Additionally, the configuration and service layers have been updated to support these new restrictions.

Security enhancements for file uploads and archive extraction:

• Added disallowFileTypes and disallowFileMimeTypes configuration options in file-manager.php to specify restricted file extensions and MIME types.
• Updated the ConfigRepository interface and its default implementation to provide access to the new disallow lists, with sensible defaults for common executable/script types. [1] [2]
• Modified the file upload logic in FileManager.php to block files with disallowed extensions or MIME types from being uploaded.
• Enforced extension checks when creating, renaming, or updating files, preventing creation or renaming to disallowed types. [1] [2] [3] [4]

ZIP archive extraction hardening:

• Updated the Zip service to check extracted files' extensions and MIME types against the disallow lists, skipping extraction of any that match. The service now requires ConfigRepository as a dependency. [1] [2] [3]

Other improvements:

• Updated PHPDoc annotations in FilesUploading and FilesUploaded event classes to clarify that the $files property is an array of uploaded files. [1] [2]