CVE-2021-23814 Unrestricted Upload of File with Dangerous Type

[bashgeek]

GHSA-f8x6-m9f5-ffp8

Surprisingly can't find anything about this in the issues here yet, is this something that's gonna be addressed soon?

Thanks a lot!

[MaxKorlaar]

Yeah, I noticed it before: Roave/SecurityAdvisories#89 but it's not linked to the repo apparently.

[streamtw]

v2.5.1 has been released to fix this issue.

[deanzod]

I am still able to do this in 2.6. It needs to check file extensions too. Something like....

function hasAllowedExtension($allowed_extensions)
    {
        $extension = $this->file->getClientOriginalExtension();

        if (!in_array($extension, $allowed_extensions)) {
            throw new ExcutableFileException($extension);
        }

        return $this;
    }

[streamtw]

Thanks @deanzod . v2.6.2 has been released to check file extension.