PLEASE NOTE: These forums are no longer utilized and are provided as an archive for informational purposes only. All support issues will be handled via email using our support ticket system. For more detailed information on this change, please see this blog post.

Filter .php files on file upload

  1. jhherren
    Member

    It seems dangerous to me that a user can upload a .php file through a file upload if no file extension are set, which is the default behavior for the file upload field. Since files are uploaded to an easily guessable path, this looks like a file inclusion vulnerability waiting to happen.

    I think you should consider filtering .php files (and .js, too) from being uploaded. Users wanting to submit .php files can package them in an archive such as a zip file.

    Posted 9 years ago on Monday March 1, 2010 | Permalink
  2. Very good point and I remember doing this already so i'm going to have to look into why it is no longer in place and we will certainly correct it in the next release.

    Posted 9 years ago on Monday March 1, 2010 | Permalink