From a1b962a7b5d5fe4719f9a328cd0ea4c8e867f5da Mon Sep 17 00:00:00 2001 From: Starbeamrainbowlabs Date: Tue, 21 Apr 2020 21:18:50 +0100 Subject: [PATCH] feature-upload: fix the dot problem --- modules/feature-upload.php | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/modules/feature-upload.php b/modules/feature-upload.php index a6edde9..35f760b 100644 --- a/modules/feature-upload.php +++ b/modules/feature-upload.php @@ -1,7 +1,7 @@ "Uploader", - "version" => "0.6.3", + "version" => "0.6.4", "author" => "Starbeamrainbowlabs", "description" => "Adds the ability to upload files to Pepperminty Wiki. Uploaded files act as pages and have the special 'File/' prefix.", "id" => "feature-upload", @@ -138,7 +138,8 @@ register_module([ // Calculate the target name, removing any characters we // are unsure about. - $target_name = makepathsafe($_POST["name"] ?? "Users/$env->user/Avatar"); + // Also trim off whitespace (from both ends), and full stops (from the end) + $target_name = rtrim(trim(makepathsafe($_POST["name"] ?? "Users/$env->user/Avatar")), "."); $temp_filename = $_FILES["file"]["tmp_name"]; $mimechecker = finfo_open(FILEINFO_MIME_TYPE); @@ -183,18 +184,21 @@ register_module([ if(isset($settings->mime_mappings_overrides->$mime_type)) $file_extension = $settings->mime_mappings_overrides->$mime_type; - if(in_array($file_extension, [ "php", ".htaccess", "asp", "aspx" ])) + if(in_array($file_extension, [ "phtml", "php5", "php", ".htaccess", "asp", "aspx" ])) { http_response_code(415); exit(page_renderer::render("Upload Error - $settings->sitename", "

The file you uploaded appears to be dangerous and has been discarded. Please contact $settings->sitename's administrator for assistance.

Additional information: The file uploaded appeared to be of type $mime_type, which mapped onto the extension $file_extension. This file extension has the potential to be executed accidentally by the web server.

")); } + // Remove dots from both ends, just in case + $file_extension = trim($file_extension, "."); + // Rewrite the name to include the _actual_ file extension we've cleverly calculated :D // The path to the place (relative to the wiki data root) // that we're actually going to store the uploaded file itself - $new_filename = "$paths->upload_file_prefix$target_name$file_extension"; + $new_filename = "$paths->upload_file_prefix$target_name.$file_extension"; // The path (relative, as before) to the description file $new_description_filename = "$new_filename.md";