From 334dda1f252681ff749948fa3eaceeb71f7ea3f0 Mon Sep 17 00:00:00 2001 From: Jake Bentvelzen Date: Fri, 7 Jul 2017 10:38:02 +1000 Subject: [PATCH] fix(FileAttachmentField): Fix security issue where file extensions aren't validated on the server-side. --- code/FileAttachmentField.php | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/code/FileAttachmentField.php b/code/FileAttachmentField.php index db89ea8..821e7ca 100644 --- a/code/FileAttachmentField.php +++ b/code/FileAttachmentField.php @@ -574,7 +574,23 @@ public function setAcceptedFiles($files = array ()) { if(is_array($files)) { $files = implode(',', $files); } - $this->settings['acceptedFiles'] = str_replace(' ', '', $files); + $files = str_replace(' ', '', $files); + $this->settings['acceptedFiles'] = $files; + + // Update validator + $validator = $this->getValidator(); + if ($validator) { + $fileExts = explode(',', $files); + + $validatorExts = array(); + foreach ($fileExts as $fileExt) { + if ($fileExt && isset($fileExt[0]) && $fileExt[0] === '.') { + $fileExt = substr($fileExt, 1); + } + $validatorExts[] = $fileExt; + } + $validator->setAllowedExtensions($validatorExts); + } return $this; }