From be8cf71e7103a81a548781623a3178d89dcc0240 Mon Sep 17 00:00:00 2001 From: ic-hv Date: Mon, 14 Dec 2020 11:09:59 +0100 Subject: [PATCH] Update upload.php [TASK] Allowed file-endings should not only get checked on the client-side but also on the server-side Remember: Checks on client-side may easily be circumvented by opening up javascript console and doing this for example: $ allowed_ext.push("php") --- tinymce/plugins/filemanager/upload.php | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tinymce/plugins/filemanager/upload.php b/tinymce/plugins/filemanager/upload.php index 0ce1fdb..afad079 100644 --- a/tinymce/plugins/filemanager/upload.php +++ b/tinymce/plugins/filemanager/upload.php @@ -19,6 +19,12 @@ $targetPath = dirname( __FILE__ ) . $ds. $storeFolder . $ds; $targetPathThumb = dirname( __FILE__ ) . $ds. $storeFolderThumb . $ds; + // Reject uploading of non-allowed file-endings + $file_ending = strtolower(substr(strrchr($_FILES['file']['name'],'.'),1)); + if(!in_array($file_ending, $ext)) { + die(); + } + $targetFile = $targetPath. $_FILES['file']['name']; $targetFileThumb = $targetPathThumb. $_FILES['file']['name']; move_uploaded_file($tempFile,$targetFile);