Skip to content

Commit 0c18561

Browse files
brandonkellybrandonkelly
committed
Merge branch '4.x' of https://github.com/craftcms/cms into 5.x
# Conflicts: # CHANGELOG.md
2 parents 16e2750 + 732ea12 commit 0c18561

2 files changed

Lines changed: 10 additions & 0 deletions

File tree

CHANGELOG.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@
44

55
- Plugin licenses are now assigned immediately when installed via the `plugin/install` command. ([#17871](https://github.com/craftcms/cms/issues/17871))
66
- Improved drag-n-drop performance. ([#18019](https://github.com/craftcms/cms/pull/18019))
7+
- Fixed a bug where assets with disallowed file extensions could still be uploaded to the system’s temp directory. ([#18015](https://github.com/craftcms/cms/issues/18015))
78
- Fixed a bug where the Live Preview drag bar wasn’t easily draggable when a nested slideout was open. ([#17781](https://github.com/craftcms/cms/issues/17781))
89
- Fixed a bug where nested slideouts within Live Preview weren’t getting resized when the window was resized.
910
- Fixed a bug where element index table column sort buttons weren’t being focused after activation. ([#18021](https://github.com/craftcms/cms/pull/18021))

src/controllers/AssetsController.php

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@
1515
use craft\db\Table;
1616
use craft\elements\Asset;
1717
use craft\elements\conditions\ElementCondition;
18+
use craft\errors\AssetDisallowedExtensionException;
1819
use craft\errors\AssetException;
1920
use craft\errors\DeprecationException;
2021
use craft\errors\ElementNotFoundException;
@@ -1285,6 +1286,14 @@ private function _getUploadedFileTempPath(UploadedFile $uploadedFile): string
12851286
throw new UploadFailedException($uploadedFile->error);
12861287
}
12871288

1289+
// Make sure the file extension is allowed
1290+
$allowedExtensions = Craft::$app->getConfig()->getGeneral()->allowedFileExtensions;
1291+
$extension = strtolower(pathinfo($uploadedFile->name, PATHINFO_EXTENSION));
1292+
1293+
if (is_array($allowedExtensions) && !in_array($extension, $allowedExtensions, true)) {
1294+
throw new AssetDisallowedExtensionException(Craft::t('app', "{$extension}” is not an allowed file extension."));
1295+
}
1296+
12881297
// Move the uploaded file to the temp folder
12891298
$tempPath = $uploadedFile->saveAsTempFile();
12901299

0 commit comments

Comments
 (0)