From c74e008c2ef68364336339672222156acd6df648 Mon Sep 17 00:00:00 2001
From: Patrick Barroca <pbarroca@afi-sa.fr>
Date: Wed, 22 Nov 2017 15:22:31 +0100
Subject: [PATCH] hotline #67693 : php files forbidden

---
 library/Class/FileManager.php           | 10 +++++++++-
 tests/library/Class/FileManagerTest.php | 12 ++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/library/Class/FileManager.php b/library/Class/FileManager.php
index 86e39cbad7b..2af6fb8d35c 100644
--- a/library/Class/FileManager.php
+++ b/library/Class/FileManager.php
@@ -35,7 +35,9 @@ class Class_FileManager {
 
 
   protected function _isForbidden($part) {
-    return $this->_isHtaccess($part) || $this->_isDotsOnly($part);
+    return $this->_isHtaccess($part)
+      || $this->_isDotsOnly($part)
+      || $this->_isPhpFile($part);
   }
 
 
@@ -49,4 +51,10 @@ class Class_FileManager {
       ? '' == trim(str_replace('.', '', $part))
       : false;
   }
+
+  protected function _isPhpFile($part) {
+    return $part
+      ? 1 === preg_match('/\.php[1-9]*$/i', $part)
+      : false;
+  }
 }
diff --git a/tests/library/Class/FileManagerTest.php b/tests/library/Class/FileManagerTest.php
index a551d54de5b..a48439743fc 100644
--- a/tests/library/Class/FileManagerTest.php
+++ b/tests/library/Class/FileManagerTest.php
@@ -123,4 +123,16 @@ class FileManagerAuthAsAdminTest extends FileManagerTestCase {
   public function dotHtaccessShouldNotBeAuthorized() {
     $this->assertFalse($this->_filemanager->isAuthorized(USERFILESURL . '/.htaccess'));
   }
+
+
+  /** @test */
+  public function phpFileShouldNotBeAuthorized() {
+    $this->assertFalse($this->_filemanager->isAuthorized(USERFILESURL . '/anything.php'));
+  }
+
+
+  /** @test */
+  public function php5FileShouldNotBeAuthorized() {
+    $this->assertFalse($this->_filemanager->isAuthorized(USERFILESURL . '/anything.php5'));
+  }
 }
\ No newline at end of file
-- 
GitLab