From bd84899ce65a7f193e676dd8444e424fa50f64fa Mon Sep 17 00:00:00 2001
From: Stream <streamtw.one@gmail.com>
Date: Wed, 15 Nov 2023 17:23:41 +0800
Subject: [PATCH] security: update if file extension is executable when
 uploading files

---
 src/LfmPath.php            |  4 +++-
 src/LfmUploadValidator.php | 13 ++++++++++++-
 src/config/lfm.php         |  3 +++
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/src/LfmPath.php b/src/LfmPath.php
index b9a778c5..117c00fa 100644
--- a/src/LfmPath.php
+++ b/src/LfmPath.php
@@ -253,7 +253,9 @@ public function validateUploadedFile($file)
             $validator->nameIsNotDuplicate($this->getNewName($file), $this);
         }
 
-        $validator->isNotExcutable(config('lfm.disallowed_mimetypes', ['text/x-php', 'text/html', 'text/plain']));
+        $validator->mimetypeIsNotExcutable(config('lfm.disallowed_mimetypes', ['text/x-php', 'text/html', 'text/plain']));
+
+        $validator->extensionIsNotExcutable(config('lfm.disallowed_extensions', ['php', 'html']));
 
         if (config('lfm.should_validate_mime', false)) {
             $validator->mimeTypeIsValid($this->helper->availableMimeTypes());
diff --git a/src/LfmUploadValidator.php b/src/LfmUploadValidator.php
index 0d2d4b56..a7586b94 100644
--- a/src/LfmUploadValidator.php
+++ b/src/LfmUploadValidator.php
@@ -61,7 +61,7 @@ public function nameIsNotDuplicate($new_file_name, LfmPath $lfm_path)
         return $this;
     }
 
-    public function isNotExcutable($excutable_mimetypes)
+    public function mimetypeIsNotExcutable($excutable_mimetypes)
     {
         $mimetype = $this->file->getMimeType();
 
@@ -72,6 +72,17 @@ public function isNotExcutable($excutable_mimetypes)
         return $this;
     }
 
+    public function extensionIsNotExcutable($excutable_extensions)
+    {
+        $extension = $this->file->getClientOriginalExtension();
+
+        if (in_array($extension, $excutable_extensions)) {
+            throw new ExcutableFileException();
+        }
+
+        return $this;
+    }
+
     public function mimeTypeIsValid($available_mime_types)
     {
         $mimetype = $this->file->getMimeType();
diff --git a/src/config/lfm.php b/src/config/lfm.php
index 5c418126..70e7fd3f 100644
--- a/src/config/lfm.php
+++ b/src/config/lfm.php
@@ -116,6 +116,9 @@
     // mimetypes of executables to prevent from uploading
     'disallowed_mimetypes' => ['text/x-php', 'text/html', 'text/plain'],
 
+    // extensions of executables to prevent from uploading
+    'disallowed_extensions' => ['php', 'html'],
+
     // Item Columns
     'item_columns' => ['name', 'url', 'time', 'icon', 'is_file', 'is_image', 'thumb_url'],