do not allow php files

spatie · Jul 15, 2024 · e663609 · e663609
1 parent 038c1ba
commit e663609
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 2 deletions.
diff --git a/src/MediaCollections/Exceptions/FileNameNotAllowed.php b/src/MediaCollections/Exceptions/FileNameNotAllowed.php
@@ -0,0 +1,13 @@
+<?php
+
+namespace Spatie\MediaLibrary\MediaCollections\Exceptions;
+
+use Spatie\MediaLibrary\Support\File;
+
+class FileNameNotAllowed extends FileCannotBeAdded
+{
+    public static function create(string $orignalName, string $sanitizedName): self
+    {
+        return new static("The file name `{$orignalName}` was sanitized to `{$sanitizedName}`. This sanitized file name is not allowed because it is a PHP file.");
+    }
+}
diff --git a/src/MediaCollections/FileAdder.php b/src/MediaCollections/FileAdder.php
@@ -5,13 +5,16 @@
 use Closure;
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Support\Facades\Storage;
+use Illuminate\Support\Str;
 use Illuminate\Support\Traits\Macroable;
+use Rector\PhpParser\Node\CustomNode\FileWithoutNamespace;
 use Spatie\MediaLibrary\Conversions\ImageGenerators\Image as ImageGenerator;
 use Spatie\MediaLibrary\HasMedia;
 use Spatie\MediaLibrary\MediaCollections\Exceptions\DiskCannotBeAccessed;
 use Spatie\MediaLibrary\MediaCollections\Exceptions\DiskDoesNotExist;
 use Spatie\MediaLibrary\MediaCollections\Exceptions\FileDoesNotExist;
 use Spatie\MediaLibrary\MediaCollections\Exceptions\FileIsTooBig;
+use Spatie\MediaLibrary\MediaCollections\Exceptions\FileNameNotAllowed;
 use Spatie\MediaLibrary\MediaCollections\Exceptions\FileUnacceptableForCollection;
 use Spatie\MediaLibrary\MediaCollections\Exceptions\UnknownType;
 use Spatie\MediaLibrary\MediaCollections\File as PendingFile;
@@ -389,9 +392,19 @@ protected function ensureDiskExists(string $diskName): void
 
     public function defaultSanitizer(string $fileName): string
     {
-        $fileName = preg_replace('#\p{C}+#u', '', $fileName);
+        $sanitizedFileName = preg_replace('#\p{C}+#u', '', $fileName);
 
-        return str_replace(['#', '/', '\\', ' '], '-', $fileName);
+        $sanitizedFileName =  str_replace(['#', '/', '\\', ' '], '-', $sanitizedFileName);
+
+        $phpExtensions = [
+            'php', 'php3', 'php4', 'php5', 'php7', 'php8', 'phtml', 'phar',
+        ];
+
+        if (Str::endsWith(strtolower($sanitizedFileName), $phpExtensions)) {
+            throw FileNameNotAllowed::create($fileName, $sanitizedFileName);
+        }
+
+        return $sanitizedFileName;
     }
 
     public function sanitizingFileName(callable $fileNameSanitizer): self

diff --git a/tests/MediaCollections/FileAdderTest.php b/tests/MediaCollections/FileAdderTest.php
@@ -2,6 +2,7 @@
 
 namespace Spatie\MediaLibrary\Tests\MediaCollections;
 
+use Spatie\MediaLibrary\MediaCollections\Exceptions\FileNameNotAllowed;
 use Spatie\MediaLibrary\MediaCollections\FileAdder;
 
 it('sanitizes filenames correctly', function () {
@@ -23,3 +24,9 @@
     expect($adder->defaultSanitizer('Scan-‎9‎.‎14‎.‎2022-‎7‎.‎23‎.‎28.pdf'))
         ->toEqual('Scan-9.14.2022-7.23.28.pdf');
 });
+
+it('will throw an exception if the sanitized file name is a php file name', function() {
+    $adder = app(FileAdder::class);
+
+    $adder->defaultSanitizer('filename.php‎');
+})->throws(FileNameNotAllowed::class);