block 'phar' file upload

git-svn-id: http://xe-core.googlecode.com/svn/branches/maserati@13179 201d5d3c-b55e-5fd7-737f-ddc643e51545
2026-01-04 01:01:41 +09:00 · 2013-11-07 02:29:45 +00:00 · 2013-11-07 02:29:45 +00:00 · 08022a1ddb
commit 08022a1ddb
parent 749c2092cc
2 changed files with 2 additions and 2 deletions
--- a/modules/file/file.controller.php
+++ b/modules/file/file.controller.php
@ -636,7 +636,7 @@ class fileController extends file
 		if(preg_match("/\.(jpe?g|gif|png|wm[va]|mpe?g|avi|swf|flv|mp[1-4]|as[fx]|wav|midi?|moo?v|qt|r[am]{1,2}|m4v)$/i", $file_info['name']))
 		{
 			// Immediately remove the direct file if it has any kind of extensions for hacking
-			$file_info['name'] = preg_replace('/\.(php|phtm|html?|cgi|pl|exe|jsp|asp|inc)/i', '$0-x',$file_info['name']);
+			$file_info['name'] = preg_replace('/\.(php|phtm|phar|html?|cgi|pl|exe|jsp|asp|inc)/i', '$0-x',$file_info['name']);
 			$file_info['name'] = str_replace(array('<','>'),array('%3C','%3E'),$file_info['name']);

 			$path = sprintf("./files/attach/images/%s/%s", $module_srl,getNumberingPath($upload_target_srl,3));
--- a/modules/importer/importer.admin.controller.php
+++ b/modules/importer/importer.admin.controller.php
@ -1056,7 +1056,7 @@ class importerAdminController extends importer
 					if(preg_match("/\.(jpe?g|gif|png|wm[va]|mpe?g|avi|swf|flv|mp[1-4]|as[fx]|wav|midi?|moo?v|qt|r[am]{1,2}|m4v)$/i", $file_obj->source_filename))
 					{
 						// Immediately remove the direct file if it has any kind of extensions for hacking
-						$file_obj->source_filename = preg_replace('/\.(php|phtm|html?|cgi|pl|exe|jsp|asp|inc)/i', '$0-x', $file_obj->source_filename);
+						$file_obj->source_filename = preg_replace('/\.(php|phtm|phar|html?|cgi|pl|exe|jsp|asp|inc)/i', '$0-x', $file_obj->source_filename);
 						$file_obj->source_filename = str_replace(array('<', '>'), array('%3C', '%3E'), $file_obj->source_filename);

 						$path = sprintf("./files/attach/images/%s/%s", $module_srl, getNumberingPath($upload_target_srl, 3));