fix(FileAttachmentField): Fix security issue where file extensions ar…

…en't validated on the server-side.
unclecheese · Jul 7, 2017 · 334dda1 · 334dda1
1 parent bd14e95
commit 334dda1
Showing 1 changed file with 17 additions and 1 deletion.
diff --git a/code/FileAttachmentField.php b/code/FileAttachmentField.php
@@ -574,7 +574,23 @@ public function setAcceptedFiles($files = array ()) {
         if(is_array($files)) {
             $files = implode(',', $files);
         }
-        $this->settings['acceptedFiles'] = str_replace(' ', '', $files);
+        $files = str_replace(' ', '', $files);
+        $this->settings['acceptedFiles'] = $files;
+
+        // Update validator
+        $validator = $this->getValidator();
+        if ($validator) {
+            $fileExts = explode(',', $files);
+
+            $validatorExts = array();
+            foreach ($fileExts as $fileExt) {
+                if ($fileExt && isset($fileExt[0]) && $fileExt[0] === '.') {
+                    $fileExt = substr($fileExt, 1);
+                }
+                $validatorExts[] = $fileExt;
+            }
+            $validator->setAllowedExtensions($validatorExts);
+        }
 
         return $this;
     }