diff --git a/system/config/security.yaml b/system/config/security.yaml index 54c7fc522..43d313236 100644 --- a/system/config/security.yaml +++ b/system/config/security.yaml @@ -32,9 +32,16 @@ xss_dangerous_tags: - base uploads_dangerous_extensions: - php + - php2 + - php3 + - php4 + - php5 - phar + - phtml - html - htm + - shtml + - shtm - js - exe sanitize_svg: true diff --git a/system/src/Grav/Common/Utils.php b/system/src/Grav/Common/Utils.php index 378bffaff..01623b793 100644 --- a/system/src/Grav/Common/Utils.php +++ b/system/src/Grav/Common/Utils.php @@ -977,10 +977,10 @@ abstract class Utils * @param string $filename * @return bool */ - public static function checkFilename($filename) + public static function checkFilename($filename): bool { $dangerous_extensions = Grav::instance()['config']->get('security.uploads_dangerous_extensions', []); - $extension = static::pathinfo($filename, PATHINFO_EXTENSION); + $extension = strtolower(static::pathinfo($filename, PATHINFO_EXTENSION)); return !( // Empty filenames are not allowed. diff --git a/tests/unit/Grav/Common/UtilsTest.php b/tests/unit/Grav/Common/UtilsTest.php index 6917b34c5..0e530497c 100644 --- a/tests/unit/Grav/Common/UtilsTest.php +++ b/tests/unit/Grav/Common/UtilsTest.php @@ -561,6 +561,7 @@ class UtilsTest extends \Codeception\TestCase\Test $config->set('security.uploads_dangerous_extensions', ['php', 'html', 'htm', 'exe', 'js']); self::assertFalse(Utils::checkFilename('foo.php')); + self::assertFalse(Utils::checkFilename('foo.PHP')); self::assertFalse(Utils::checkFilename('bar.js')); self::assertTrue(Utils::checkFilename('foo.json')); diff --git a/webserver-configs/Caddyfile b/webserver-configs/Caddyfile index 3464b5b57..cfceced3c 100644 --- a/webserver-configs/Caddyfile +++ b/webserver-configs/Caddyfile @@ -16,10 +16,10 @@ php_fastcgi 127.0.0.1:9000 rewrite /(\.git|cache|bin|logs|backups|tests)/.* /403 # deny running scripts inside core system folders -rewrite /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ /403 +rewrite /(system|vendor)/.*\.(txt|xml|md|html|htm|shtml|shtm|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$ /403 # deny running scripts inside user folder -rewrite /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ /403 +rewrite /user/.*\.(txt|md|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$ /403 # deny access to specific files in the root folder rewrite /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) /403 diff --git a/webserver-configs/Caddyfile-0.8.x b/webserver-configs/Caddyfile-0.8.x index aaf92ceda..9e977a98d 100644 --- a/webserver-configs/Caddyfile-0.8.x +++ b/webserver-configs/Caddyfile-0.8.x @@ -12,12 +12,12 @@ rewrite { } # deny running scripts inside core system folders rewrite { - r /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ + r /(system|vendor)/.*\.(txt|xml|md|html|htm|shtml|shtm|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$ status 403 } # deny running scripts inside user folder rewrite { - r /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ + r /user/.*\.(txt|md|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$ status 403 } # deny access to specific files in the root folder diff --git a/webserver-configs/htaccess.txt b/webserver-configs/htaccess.txt index 098c58244..15436a7f5 100644 --- a/webserver-configs/htaccess.txt +++ b/webserver-configs/htaccess.txt @@ -59,9 +59,9 @@ RewriteRule .* index.php [L] # Block all direct access for these folders RewriteRule ^(\.git|cache|bin|logs|backup|webserver-configs|tests)/(.*) error [F] # Block access to specific file types for these system folders -RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F] +RewriteRule ^(system|vendor)/(.*)\.(txt|xml|md|html|htm|shtml|shtm|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$ error [F] # Block access to specific file types for these user folders -RewriteRule ^(user)/(.*)\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ error [F] +RewriteRule ^(user)/(.*)\.(txt|md|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$ error [F] # Block all direct access to .md files: RewriteRule \.md$ error [F] # Block all direct access to files and folders beginning with a dot diff --git a/webserver-configs/lighttpd.conf b/webserver-configs/lighttpd.conf index f14c5a8b9..362637dca 100644 --- a/webserver-configs/lighttpd.conf +++ b/webserver-configs/lighttpd.conf @@ -33,7 +33,7 @@ $HTTP["url"] =~ "^/grav_path/(LICENSE\.txt|composer\.json|composer\.lock|nginx\. $HTTP["url"] =~ "^/grav_path/(\.git|cache|bin|logs|backup|tests)/(.*)" { url.access-deny = ("") } -$HTTP["url"] =~ "^/grav_path/(system|user|vendor)/(.*)\.(txt|md|html|json|yaml|yml|php|twig|sh|bat)$" { +$HTTP["url"] =~ "^/grav_path/(system|user|vendor)/(.*)\.(txt|md|html|htm|shtml|shtm|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|twig|sh|bat)$" { url.access-deny = ("") } $HTTP["url"] =~ "^/grav_path/(\.(.*))" { diff --git a/webserver-configs/nginx.conf b/webserver-configs/nginx.conf index ed109b199..42df5e926 100644 --- a/webserver-configs/nginx.conf +++ b/webserver-configs/nginx.conf @@ -20,9 +20,9 @@ server { # deny all direct access for these folders location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; } # deny running scripts inside core system folders - location ~* /(system|vendor)/.*\.(txt|xml|md|html|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } + location ~* /(system|vendor)/.*\.(txt|xml|md|html|htm|shtml|shtm|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$ { return 403; } # deny running scripts inside user folder - location ~* /user/.*\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; } + location ~* /user/.*\.(txt|md|json|yaml|yml|php|php2|php3|php4|php5|phar|phtml|pl|py|cgi|twig|sh|bat)$ { return 403; } # deny access to specific files in the root folder location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; } ## End - Security diff --git a/webserver-configs/web.config b/webserver-configs/web.config index 1c351a3b3..212783333 100644 --- a/webserver-configs/web.config +++ b/webserver-configs/web.config @@ -18,7 +18,7 @@ - + @@ -26,11 +26,11 @@ - + - +