Skip to content

Commit

Permalink
Update dangerous extensions (#3756)
Browse files Browse the repository at this point in the history
Thanks for this!
  • Loading branch information
angelej authored Oct 24, 2023
1 parent f0f2989 commit 80ce87e
Show file tree
Hide file tree
Showing 9 changed files with 22 additions and 14 deletions.
7 changes: 7 additions & 0 deletions system/config/security.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -32,9 +32,16 @@ xss_dangerous_tags:
- base
uploads_dangerous_extensions:
- php
- php2
- php3
- php4
- php5
- phar
- phtml
- html
- htm
- shtml
- shtm
- js
- exe
sanitize_svg: true
4 changes: 2 additions & 2 deletions system/src/Grav/Common/Utils.php
Original file line number Diff line number Diff line change
Expand Up @@ -977,10 +977,10 @@ public static function getMimeByLocalFile($filename, $default = 'application/oct
* @param string $filename
* @return bool
*/
public static function checkFilename($filename)
public static function checkFilename($filename): bool
{
$dangerous_extensions = Grav::instance()['config']->get('security.uploads_dangerous_extensions', []);
$extension = static::pathinfo($filename, PATHINFO_EXTENSION);
$extension = strtolower(static::pathinfo($filename, PATHINFO_EXTENSION));

return !(
// Empty filenames are not allowed.
Expand Down
1 change: 1 addition & 0 deletions tests/unit/Grav/Common/UtilsTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -561,6 +561,7 @@ public function testCheckFilename(): void
$config->set('security.uploads_dangerous_extensions', ['php', 'html', 'htm', 'exe', 'js']);

self::assertFalse(Utils::checkFilename('foo.php'));
self::assertFalse(Utils::checkFilename('foo.PHP'));
self::assertFalse(Utils::checkFilename('bar.js'));

self::assertTrue(Utils::checkFilename('foo.json'));
Expand Down
4 changes: 2 additions & 2 deletions webserver-configs/Caddyfile
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,10 @@ php_fastcgi 127.0.0.1:9000
rewrite /(\.git|cache|bin|logs|backups|tests)/.* /403

# deny running scripts inside core system folders
rewrite /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ /403
rewrite /(system|vendor)/.*\.(txt|xml|md|html|htm|shtml|shtm|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$ /403

# deny running scripts inside user folder
rewrite /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ /403
rewrite /user/.*\.(txt|md|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$ /403

# deny access to specific files in the root folder
rewrite /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) /403
Expand Down
4 changes: 2 additions & 2 deletions webserver-configs/Caddyfile-0.8.x
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,12 @@ rewrite {
}
# deny running scripts inside core system folders
rewrite {
r /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$
r /(system|vendor)/.*\.(txt|xml|md|html|htm|shtml|shtm|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$
status 403
}
# deny running scripts inside user folder
rewrite {
r /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$
r /user/.*\.(txt|md|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$
status 403
}
# deny access to specific files in the root folder
Expand Down
4 changes: 2 additions & 2 deletions webserver-configs/htaccess.txt
Original file line number Diff line number Diff line change
Expand Up @@ -59,9 +59,9 @@ RewriteRule .* index.php [L]
# Block all direct access for these folders
RewriteRule ^(\.git|cache|bin|logs|backup|webserver-configs|tests)/(.*) error [F]
# Block access to specific file types for these system folders
RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|htm|shtml|shtm|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$ error [F]
# Block access to specific file types for these user folders
RewriteRule ^(user)/(.*)\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F]
RewriteRule ^(user)/(.*)\.(txt|md|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$ error [F]
# Block all direct access to .md files:
RewriteRule \.md$ error [F]
# Block all direct access to files and folders beginning with a dot
Expand Down
2 changes: 1 addition & 1 deletion webserver-configs/lighttpd.conf
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ $HTTP["url"] =~ "^/grav_path/(LICENSE\.txt|composer\.json|composer\.lock|nginx\.
$HTTP["url"] =~ "^/grav_path/(\.git|cache|bin|logs|backup|tests)/(.*)" {
url.access-deny = ("")
}
$HTTP["url"] =~ "^/grav_path/(system|user|vendor)/(.*)\.(txt|md|html|json|yaml|yml|php|twig|sh|bat)$" {
$HTTP["url"] =~ "^/grav_path/(system|user|vendor)/(.*)\.(txt|md|html|htm|shtml|shtm|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|twig|sh|bat)$" {
url.access-deny = ("")
}
$HTTP["url"] =~ "^/grav_path/(\.(.*))" {
Expand Down
4 changes: 2 additions & 2 deletions webserver-configs/nginx.conf
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,9 @@ server {
# deny all direct access for these folders
location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; }
# deny running scripts inside core system folders
location ~* /(system|vendor)/.*\.(txt|xml|md|html|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
location ~* /(system|vendor)/.*\.(txt|xml|md|html|htm|shtml|shtm|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$ { return 403; }
# deny running scripts inside user folder
location ~* /user/.*\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
location ~* /user/.*\.(txt|md|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$ { return 403; }
# deny access to specific files in the root folder
location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; }
## End - Security
Expand Down
6 changes: 3 additions & 3 deletions webserver-configs/web.config
Original file line number Diff line number Diff line change
Expand Up @@ -18,19 +18,19 @@
<action type="Rewrite" url="index.php" />
</rule>
<rule name="user_error_redirect" stopProcessing="true">
<match url="^(user)/(.*)\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$" ignoreCase="false" />
<match url="^(user)/(.*)\.(txt|md|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$" ignoreCase="false" />
<action type="Redirect" url="error" redirectType="Permanent" />
</rule>
<rule name="ignore_folders" stopProcessing="true">
<match url="^(\.git|cache|bin|logs|backup|webserver-configs|tests)/(.*)" ignoreCase="false" />
<action type="Redirect" url="error" redirectType="Permanent" />
</rule>
<rule name="system" stopProcessing="true">
<match url="^system/(.*)\.(txt|md|html|json|yaml|yml|php|twig|sh|bat)$" ignoreCase="false" />
<match url="^system/(.*)\.(txt|md|html|htm|shtml|shtm|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|twig|sh|bat)$" ignoreCase="false" />
<action type="Redirect" url="error" redirectType="Permanent" />
</rule>
<rule name="vendor" stopProcessing="true">
<match url="^vendor/(.*)\.(txt|md|html|json|yaml|yml|php|twig|sh|bat)$" ignoreCase="false" />
<match url="^vendor/(.*)\.(txt|md|html|htm|shtml|shtm|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|twig|sh|bat)$" ignoreCase="false" />
<action type="Redirect" url="error" redirectType="Permanent" />
</rule>
</rules>
Expand Down

0 comments on commit 80ce87e

Please sign in to comment.