Disallow uploading of potentially unsafe file extensions.

Author: jbtronics

inc/lib.php

@@ -249,6 +249,18 @@ function sendString($content, $filename, $mimetype)
     exit;
 }
 
+/**
+ * Gets the file extension from a filename
+ *
+ * @param string    $filename The filename
+ * @return string The extension of the file
+ */
+function getExtensionFromFileName($filename)
+{
+    $tmp = explode('.', $filename);
+    return end($tmp);
+}
+
 /**
  * Upload a file (from "<input type="file">) to a directory on the server
  *
@@ -266,13 +278,15 @@ function sendString($content, $filename, $mimetype)
  */
 function uploadFile($file_array, $destination_directory, $destination_filename = null)
 {
+    $unsafe_extensions = ['php', 'phtml', 'php3', 'ph3', 'php4', 'ph4', 'php5', 'ph5', 'phtm', 'sh', 'asp', 'cgi', 'py', 'pl', 'exe', 'aspx'];
+
     if ((! isset($file_array['name'])) || (! isset($file_array['tmp_name'])) || (! isset($file_array['error']))) {
         throw new Exception(_('Ungültiges Array übergeben!'));
     }
 
-    //Dont allow to upload a PHP file.
-    if(strpos($file_array['name'], ".php") != false
-        || strpos($destination_filename, ".php") != false)
+    //Dont allow upload of files with potentially dangerous extension
+    if (in_array(getExtensionFromFileName($file_array['name']), $unsafe_extensions)
+        || in_array(getExtensionFromFileName($destination_filename), $unsafe_extensions))
     {
         throw new \Exception(_("Es ist nicht erlaubt PHP Dateien hochzuladen!"));
     }