hotline #67693 : php files forbidden

c74e008c · Patrick Barroca · fdfa2e55 · c74e008c · c74e008c
Commit c74e008c authored 7 years ago by Patrick Barroca
--- a/library/Class/FileManager.php
+++ b/library/Class/FileManager.php
@@ -35,7 +35,9 @@ class Class_FileManager {


  protected function _isForbidden($part) {
-    return $this->_isHtaccess($part) || $this->_isDotsOnly($part);
+    return $this->_isHtaccess($part)
+      || $this->_isDotsOnly($part)
+      || $this->_isPhpFile($part);
  }


@@ -49,4 +51,10 @@ class Class_FileManager {
      ? '' == trim(str_replace('.', '', $part))
      : false;
  }
+
+  protected function _isPhpFile($part) {
+    return $part
+      ? 1 === preg_match('/\.php[1-9]*$/i', $part)
+      : false;
+  }
 }
--- a/tests/library/Class/FileManagerTest.php
+++ b/tests/library/Class/FileManagerTest.php
@@ -123,4 +123,16 @@ class FileManagerAuthAsAdminTest extends FileManagerTestCase {
  public function dotHtaccessShouldNotBeAuthorized() {
    $this->assertFalse($this->_filemanager->isAuthorized(USERFILESURL . '/.htaccess'));
  }
+
+
+  /** @test */
+  public function phpFileShouldNotBeAuthorized() {
+    $this->assertFalse($this->_filemanager->isAuthorized(USERFILESURL . '/anything.php'));
+  }
+
+
+  /** @test */
+  public function php5FileShouldNotBeAuthorized() {
+    $this->assertFalse($this->_filemanager->isAuthorized(USERFILESURL . '/anything.php5'));
+  }
 }
\ No newline at end of file