security: prevent executables from being uploaded

streamtw · streamtw · commit 9e9022747832 · 2022-05-15T19:14:27.000+08:00
diff --git a/src/LfmPath.php b/src/LfmPath.php
@@ -253,7 +253,7 @@ public function validateUploadedFile($file)
             $validator->nameIsNotDuplicate($this->getNewName($file), $this);
         }
 
-        $validator->isNotExcutable();
+        $validator->isNotExcutable(config('lfm.disallowed_mimetypes', ['text/x-php', 'text/html', 'text/plain']));
 
         if (config('lfm.should_validate_mime', false)) {
             $validator->mimeTypeIsValid($this->helper->availableMimeTypes());
diff --git a/src/LfmUploadValidator.php b/src/LfmUploadValidator.php
@@ -61,13 +61,11 @@ public function nameIsNotDuplicate($new_file_name, LfmPath $lfm_path)
         return $this;
     }
 
-    public function isNotExcutable()
+    public function isNotExcutable($excutable_mimetypes)
     {
         $mimetype = $this->file->getMimeType();
 
-        $excutable = ['text/x-php'];
-
-        if (in_array($mimetype, $excutable)) {
+        if (in_array($mimetype, $excutable_mimetypes)) {
             throw new ExcutableFileException();
         }
 
diff --git a/src/config/lfm.php b/src/config/lfm.php
@@ -113,6 +113,9 @@
     // setting it to false show `error-file-exist` error and stop upload
     'over_write_on_duplicate'  => false,
 
+    // mimetypes of executables to prevent from uploading
+    'disallowed_mimetypes' => ['text/x-php', 'text/html', 'text/plain'],
+
     // Item Columns
     'item_columns' => ['name', 'url', 'time', 'icon', 'is_file', 'is_image', 'thumb_url'],
 

Original file line number	Diff line number	Diff line change
`@@ -253,7 +253,7 @@ public function validateUploadedFile($file)`
`253`	`253`	`$validator->nameIsNotDuplicate($this->getNewName($file), $this);`
`254`	`254`	`}`
`255`	`255`
`256`		`- $validator->isNotExcutable();`
	`256`	`+ $validator->isNotExcutable(config('lfm.disallowed_mimetypes', ['text/x-php', 'text/html', 'text/plain']));`
`257`	`257`
`258`	`258`	`if (config('lfm.should_validate_mime', false)) {`
`259`	`259`	`$validator->mimeTypeIsValid($this->helper->availableMimeTypes());`
Original file line number	Diff line number	Diff line change
`@@ -61,13 +61,11 @@ public function nameIsNotDuplicate($new_file_name, LfmPath $lfm_path)`
`61`	`61`	`return $this;`
`62`	`62`	`}`
`63`	`63`
`64`		`- public function isNotExcutable()`
	`64`	`+ public function isNotExcutable($excutable_mimetypes)`
`65`	`65`	`{`
`66`	`66`	`$mimetype = $this->file->getMimeType();`
`67`	`67`
`68`		`- $excutable = ['text/x-php'];`
`69`		`-`
`70`		`- if (in_array($mimetype, $excutable)) {`
	`68`	`+ if (in_array($mimetype, $excutable_mimetypes)) {`
`71`	`69`	`throw new ExcutableFileException();`
`72`	`70`	`}`
`73`	`71`