verot
commented
4 years ago Yes, it would be a good addition. I have no time to do it now, but I have added it to my list. And I'll gladly accept a patch.
Closed zanderwar closed 2 years ago
verot
commented
4 years ago Yes, it would be a good addition. I have no time to do it now, but I have added it to my list. And I'll gladly accept a patch.
halillusion
commented
2 years ago Hi @verot,
This issue was fixed in the #160
verot
commented
2 years ago Issue was fixed in 590187167a3da2ed366c9730ae2ab98c1fe8d6e
Basically, I did add the possibility of having file extensions in allowed and forbidden (rather than adding a new array as in your merge request).
If no_script is active, then first the class will rename dangerous files into text files; then, the class checks for allowed and forbidden.
So for instance, a .bat file is turned into a text file as no_script is activated by default. If it wasn't, then the .bat file would be prevented from being uploaded because forbidden.
And in forbidden, we add all the file extensions from dangerous (that are turned into text files if no_script is activated), and we add some other file extensions that are forbidden (.exe, etc...)
As you may already be aware MIME-type is not 100% fool proof.
For example, shell-scripts such as .bat files are declared as being
application/batorapplication/x-bathowever that's not entirely truthful in a lot of cases; their MIME is often interpreted asapplication/octet-streamwhich is allowed by default by this class as that MIME also represents other non-malicious files and/or documents.I'd like to propose the ability to not only forbid certain MIME types (which already exists); but also have the ability to forbid certain extensions as a fallback safety net
$upload->forbidden_extensions = array('bat', 'exe', 'svg', 'php', 'phtml', 'dll', 'wsdl');If a rookie were to accidentally open a bat file that a user uploaded; the malicious potential is endless and significant beyond repair.