fix(security): disallow file extensions end with html

streamtw · streamtw · commit 6b3adbcb7759 · 2024-08-10T01:55:43.000+08:00
diff --git a/src/LfmUploadValidator.php b/src/LfmUploadValidator.php
@@ -85,6 +85,10 @@ public function extensionIsNotExcutable($excutable_extensions)
             throw new ExcutableFileException();
         }
 
+        if (preg_match('/[a-z]html/', $extension) > 0) {
+            throw new ExcutableFileException();
+        }
+
         return $this;
     }
 
diff --git a/tests/LfmUploadValidatorTest.php b/tests/LfmUploadValidatorTest.php
@@ -180,6 +180,18 @@ public function testFailsExtensionIsNotExcutableWithExtensionsStartsWithPhp()
         $validator->extensionIsNotExcutable(['php', 'html']);
     }
 
+    public function testFailsExtensionIsNotExcutableWithExtensionsEndsWithHtml()
+    {
+        $uploaded_file = m::mock(UploadedFile::class);
+        $uploaded_file->shouldReceive('getClientOriginalExtension')->andReturn('dhtml');
+
+        $validator = new LfmUploadValidator($uploaded_file);
+
+        $this->expectException(ExcutableFileException::class);
+
+        $validator->extensionIsNotExcutable();
+    }
+
     public function testFailsExtensionIsValidWithSpecialCharacters()
     {
         $uploaded_file = m::mock(UploadedFile::class);

Original file line number	Diff line number	Diff line change
`@@ -85,6 +85,10 @@ public function extensionIsNotExcutable($excutable_extensions)`
`85`	`85`	`throw new ExcutableFileException();`
`86`	`86`	`}`
`87`	`87`
	`88`	`+ if (preg_match('/[a-z]html/', $extension) > 0) {`
	`89`	`+ throw new ExcutableFileException();`
	`90`	`+ }`
	`91`	`+`
`88`	`92`	`return $this;`
`89`	`93`	`}`
`90`	`94`