- security: A problem was discovered and fixed in which users could email executable attachments to a collaboration system and then when viewed online, could execute them.

docs/changelog/7.x.x.txt

@@ -1,4 +1,5 @@
 7.6.5
+ - security: A problem was discovered and fixed in which users could email executable attachments to a collaboration system and then when viewed online, could execute them. 
  - fixed #8800: Errors in POD of Asset-related mix-in modules (Bernd Kalbfuß-Zimmermann)
  - fixed: Products imported into the Shelf have bad URLs
  - Deprecated WebGUI::Storage::Image. WebGUI::Storage can now do everything WebGUI::Storage::Image can do.

lib/WebGUI/Storage.pm

@@ -365,9 +365,12 @@ The content to write to the file.
 =cut
 
 sub addFileFromScalar {
-	my $self = shift;
-	my $filename = $self->session->url->makeCompliant(shift);
-	my $content = shift;
+	my ($self, $filename, $content) = @_;
+    if (isIn($self->getFileExtension($filename), qw(pl perl sh cgi php asp html htm))) { # make us safe from malicious uploads
+        $filename =~ s/\./\_/g;
+        $filename .= ".txt";
+    }
+    $filename = $self->session->url->makeCompliant($filename);
 	if (open(my $FILE, ">", $self->getPath($filename))) {
 		print $FILE $content;
 		close($FILE);