fixed a phishing exploit. html and htm files are now renamed to have a .txt extenstion appended to them.
This commit is contained in:
Roy Johnson
parent
36873f8479
commit
16e2ad99da
2 changed files with 2 additions and 1 deletions
|
|
@ -208,7 +208,7 @@ sub addFileFromFormPost {
|
|||
next if ($upload->size > 1024 * $self->session->setting->get("maxAttachmentSize"));
|
||||
if ($tempFilename =~ /([^\/\\]+)$/) { $tempFilename = $1; }
|
||||
my $type = $self->getFileExtension($tempFilename);
|
||||
if (isIn($type, qw(pl perl sh cgi php asp))) { # make us safe from malicious uploads
|
||||
if (isIn($type, qw(pl perl sh cgi php asp html htm))) { # make us safe from malicious uploads
|
||||
$tempFilename =~ s/\./\_/g;
|
||||
$tempFilename .= ".txt";
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue