From 411b8e4656af1e590e5ffae674cfe40f2ff8f647 Mon Sep 17 00:00:00 2001
From: Kijin Sung <kijin@kijinsung.com>
Date: Sat, 1 Jan 2022 21:40:34 +0900
Subject: [PATCH] Only allow image extensions in menu image button

This is NOT a security problem because this function is only accessible
to the administrator. Changing it anyway to prevent confusion.

cf. xpressengine/xe-core#2434
---
 modules/menu/menu.admin.controller.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/menu/menu.admin.controller.php b/modules/menu/menu.admin.controller.php
index 514c54a96..3c3619fce 100644
--- a/modules/menu/menu.admin.controller.php
+++ b/modules/menu/menu.admin.controller.php
@@ -1569,7 +1569,7 @@ class menuAdminController extends menu
 			Context::set('error_messge', lang('msg_invalid_request'));
 
 		}
-		else if(!$target_file || !is_uploaded_file($target_file['tmp_name']) || !preg_match('/\.(gif|jpeg|jpg|png)$/i',$target_file['name']))
+		else if(!$target_file || !is_uploaded_file($target_file['tmp_name']) || !preg_match('/\.(jpe?g|gif|png|svg|webp)$/i',$target_file['name']))
 		{
 			Context::set('error_messge', lang('msg_invalid_request'));
 		}
@@ -2262,7 +2262,7 @@ class menuAdminController extends menu
 		$date = date('YmdHis');
 
 		// normal button
-		if($args->menu_normal_btn)
+		if($args->menu_normal_btn && preg_match('/\.(jpe?g|gif|png|svg|webp)$/i', $args->menu_normal_btn['name']))
 		{
 			$tmp_arr = explode('.',$args->menu_normal_btn['name']);
 			$ext = $tmp_arr[count($tmp_arr)-1];
@@ -2272,7 +2272,7 @@ class menuAdminController extends menu
 		}
 
 		// hover button
-		if($args->menu_hover_btn)
+		if($args->menu_hover_btn && preg_match('/\.(jpe?g|gif|png|svg|webp)$/i', $args->menu_hover_btn['name']))
 		{
 			$tmp_arr = explode('.',$args->menu_hover_btn['name']);
 			$ext = $tmp_arr[count($tmp_arr)-1];
@@ -2282,7 +2282,7 @@ class menuAdminController extends menu
 		}
 
 		// active button
-		if($args->menu_active_btn)
+		if($args->menu_active_btn && preg_match('/\.(jpe?g|gif|png|svg|webp)$/i', $args->menu_active_btn['name']))
 		{
 			$tmp_arr = explode('.',$args->menu_active_btn['name']);
 			$ext = $tmp_arr[count($tmp_arr)-1];