Skip to content

Commit

Permalink
Merge pull request #85 from silbinarywolf/fix-setacceptedfiles
Browse files Browse the repository at this point in the history
fix(FileAttachmentField): Fix security issue where file extensions aren't validated on the server-side.
  • Loading branch information
Aaron Carlino authored Jan 8, 2018
2 parents fb00c68 + 334dda1 commit f942bc8
Showing 1 changed file with 17 additions and 1 deletion.
18 changes: 17 additions & 1 deletion code/FileAttachmentField.php
Original file line number Diff line number Diff line change
Expand Up @@ -577,7 +577,23 @@ public function setAcceptedFiles($files = array ()) {
if(is_array($files)) {
$files = implode(',', $files);
}
$this->settings['acceptedFiles'] = str_replace(' ', '', $files);
$files = str_replace(' ', '', $files);
$this->settings['acceptedFiles'] = $files;

// Update validator
$validator = $this->getValidator();
if ($validator) {
$fileExts = explode(',', $files);

$validatorExts = array();
foreach ($fileExts as $fileExt) {
if ($fileExt && isset($fileExt[0]) && $fileExt[0] === '.') {
$fileExt = substr($fileExt, 1);
}
$validatorExts[] = $fileExt;
}
$validator->setAllowedExtensions($validatorExts);
}

return $this;
}
Expand Down

0 comments on commit f942bc8

Please sign in to comment.