blacklist .phar extension

verot · verot · commit db1b4fe50c17 · 2019-12-04T13:36:02.000+01:00
diff --git a/src/class.upload.php b/src/class.upload.php
@@ -3064,7 +3064,7 @@ function process($server_path = null) {
                 }
                 // if the file is text based, or has a dangerous extension, we rename it as .txt
                 if ((((substr($this->file_src_mime, 0, 5) == 'text/' && $this->file_src_mime != 'text/rtf') || strpos($this->file_src_mime, 'javascript') !== false)  && (substr($file_src_name, -4) != '.txt'))
-                    || preg_match('/\.(php|php5|php4|php3|phtml|pl|py|cgi|asp|js)$/i', $this->file_src_name)
+                    || preg_match('/\.(php|php5|php4|php3|phtml|pl|py|cgi|asp|js|phar)$/i', $this->file_src_name)
                     || $this->file_force_extension && empty($file_src_name_ext)) {
                     $this->file_src_mime = 'text/plain';
                     if ($this->file_src_name_ext) $file_src_name_body = $file_src_name_body . '.' . $this->file_src_name_ext;

Original file line number	Diff line number	Diff line change
`@@ -3064,7 +3064,7 @@ function process($server_path = null) {`
`3064`	`3064`	`}`
`3065`	`3065`	`// if the file is text based, or has a dangerous extension, we rename it as .txt`
`3066`	`3066`	`if ((((substr($this->file_src_mime, 0, 5) == 'text/' && $this->file_src_mime != 'text/rtf') \|\| strpos($this->file_src_mime, 'javascript') !== false) && (substr($file_src_name, -4) != '.txt'))`
`3067`		`- \|\| preg_match('/\.(php\|php5\|php4\|php3\|phtml\|pl\|py\|cgi\|asp\|js)$/i', $this->file_src_name)`
	`3067`	`+ \|\| preg_match('/\.(php\|php5\|php4\|php3\|phtml\|pl\|py\|cgi\|asp\|js\|phar)$/i', $this->file_src_name)`
`3068`	`3068`	`\|\| $this->file_force_extension && empty($file_src_name_ext)) {`
`3069`	`3069`	`$this->file_src_mime = 'text/plain';`
`3070`	`3070`	`if ($this->file_src_name_ext) $file_src_name_body = $file_src_name_body . '.' . $this->file_src_name_ext;`