fix(security): disallow file extensions start with php

streamtw · streamtw · commit ec483edf26cf · 2024-08-10T01:53:59.000+08:00
diff --git a/src/LfmUploadValidator.php b/src/LfmUploadValidator.php
@@ -81,6 +81,10 @@ public function extensionIsNotExcutable($excutable_extensions)
             throw new ExcutableFileException();
         }
 
+        if (strpos($extension, 'php') === 0) {
+            throw new ExcutableFileException();
+        }
+
         return $this;
     }
 
diff --git a/tests/LfmUploadValidatorTest.php b/tests/LfmUploadValidatorTest.php
@@ -168,6 +168,18 @@ public function testFailsExtensionIsNotExcutableWithExtensionNotLowerCase()
         $validator->extensionIsNotExcutable(['php', 'html']);
     }
 
+    public function testFailsExtensionIsNotExcutableWithExtensionsStartsWithPhp()
+    {
+        $uploaded_file = m::mock(UploadedFile::class);
+        $uploaded_file->shouldReceive('getClientOriginalExtension')->andReturn('php8');
+
+        $validator = new LfmUploadValidator($uploaded_file);
+
+        $this->expectException(ExcutableFileException::class);
+
+        $validator->extensionIsNotExcutable(['php', 'html']);
+    }
+
     public function testFailsExtensionIsValidWithSpecialCharacters()
     {
         $uploaded_file = m::mock(UploadedFile::class);

Original file line number	Diff line number	Diff line change
`@@ -81,6 +81,10 @@ public function extensionIsNotExcutable($excutable_extensions)`
`81`	`81`	`throw new ExcutableFileException();`
`82`	`82`	`}`
`83`	`83`
	`84`	`+ if (strpos($extension, 'php') === 0) {`
	`85`	`+ throw new ExcutableFileException();`
	`86`	`+ }`
	`87`	`+`
`84`	`88`	`return $this;`
`85`	`89`	`}`
`86`	`90`