From e663609647536ec799f3f5477cd232d83f1685fa Mon Sep 17 00:00:00 2001
From: Freek Van der Herten <freek@spatie.be>
Date: Mon, 15 Jul 2024 10:59:19 +0200
Subject: [PATCH] do not allow php files

---
 .../Exceptions/FileNameNotAllowed.php           | 13 +++++++++++++
 src/MediaCollections/FileAdder.php              | 17 +++++++++++++++--
 tests/MediaCollections/FileAdderTest.php        |  7 +++++++
 3 files changed, 35 insertions(+), 2 deletions(-)
 create mode 100644 src/MediaCollections/Exceptions/FileNameNotAllowed.php

diff --git a/src/MediaCollections/Exceptions/FileNameNotAllowed.php b/src/MediaCollections/Exceptions/FileNameNotAllowed.php
new file mode 100644
index 000000000..b770af5c7
--- /dev/null
+++ b/src/MediaCollections/Exceptions/FileNameNotAllowed.php
@@ -0,0 +1,13 @@
+<?php
+
+namespace Spatie\MediaLibrary\MediaCollections\Exceptions;
+
+use Spatie\MediaLibrary\Support\File;
+
+class FileNameNotAllowed extends FileCannotBeAdded
+{
+    public static function create(string $orignalName, string $sanitizedName): self
+    {
+        return new static("The file name `{$orignalName}` was sanitized to `{$sanitizedName}`. This sanitized file name is not allowed because it is a PHP file.");
+    }
+}
diff --git a/src/MediaCollections/FileAdder.php b/src/MediaCollections/FileAdder.php
index a0e01e6ef..73a5d1463 100644
--- a/src/MediaCollections/FileAdder.php
+++ b/src/MediaCollections/FileAdder.php
@@ -5,13 +5,16 @@
 use Closure;
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Support\Facades\Storage;
+use Illuminate\Support\Str;
 use Illuminate\Support\Traits\Macroable;
+use Rector\PhpParser\Node\CustomNode\FileWithoutNamespace;
 use Spatie\MediaLibrary\Conversions\ImageGenerators\Image as ImageGenerator;
 use Spatie\MediaLibrary\HasMedia;
 use Spatie\MediaLibrary\MediaCollections\Exceptions\DiskCannotBeAccessed;
 use Spatie\MediaLibrary\MediaCollections\Exceptions\DiskDoesNotExist;
 use Spatie\MediaLibrary\MediaCollections\Exceptions\FileDoesNotExist;
 use Spatie\MediaLibrary\MediaCollections\Exceptions\FileIsTooBig;
+use Spatie\MediaLibrary\MediaCollections\Exceptions\FileNameNotAllowed;
 use Spatie\MediaLibrary\MediaCollections\Exceptions\FileUnacceptableForCollection;
 use Spatie\MediaLibrary\MediaCollections\Exceptions\UnknownType;
 use Spatie\MediaLibrary\MediaCollections\File as PendingFile;
@@ -389,9 +392,19 @@ protected function ensureDiskExists(string $diskName): void
 
     public function defaultSanitizer(string $fileName): string
     {
-        $fileName = preg_replace('#\p{C}+#u', '', $fileName);
+        $sanitizedFileName = preg_replace('#\p{C}+#u', '', $fileName);
 
-        return str_replace(['#', '/', '\\', ' '], '-', $fileName);
+        $sanitizedFileName =  str_replace(['#', '/', '\\', ' '], '-', $sanitizedFileName);
+
+        $phpExtensions = [
+            'php', 'php3', 'php4', 'php5', 'php7', 'php8', 'phtml', 'phar',
+        ];
+
+        if (Str::endsWith(strtolower($sanitizedFileName), $phpExtensions)) {
+            throw FileNameNotAllowed::create($fileName, $sanitizedFileName);
+        }
+
+        return $sanitizedFileName;
     }
 
     public function sanitizingFileName(callable $fileNameSanitizer): self
diff --git a/tests/MediaCollections/FileAdderTest.php b/tests/MediaCollections/FileAdderTest.php
index 08ee8053b..df07273f4 100644
--- a/tests/MediaCollections/FileAdderTest.php
+++ b/tests/MediaCollections/FileAdderTest.php
@@ -2,6 +2,7 @@
 
 namespace Spatie\MediaLibrary\Tests\MediaCollections;
 
+use Spatie\MediaLibrary\MediaCollections\Exceptions\FileNameNotAllowed;
 use Spatie\MediaLibrary\MediaCollections\FileAdder;
 
 it('sanitizes filenames correctly', function () {
@@ -23,3 +24,9 @@
     expect($adder->defaultSanitizer('Scan-‎9‎.‎14‎.‎2022-‎7‎.‎23‎.‎28.pdf'))
         ->toEqual('Scan-9.14.2022-7.23.28.pdf');
 });
+
+it('will throw an exception if the sanitized file name is a php file name', function() {
+    $adder = app(FileAdder::class);
+
+    $adder->defaultSanitizer('filename.php‎');
+})->throws(FileNameNotAllowed::class);