Fix the list of allowed file extensions when containing dots
authorAlexander Ebert <ebert@woltlab.com>
Wed, 7 Aug 2024 11:39:52 +0000 (13:39 +0200)
committerAlexander Ebert <ebert@woltlab.com>
Wed, 7 Aug 2024 11:39:52 +0000 (13:39 +0200)
wcfsetup/install/files/lib/system/file/processor/FileProcessor.class.php

index 1e45efebecd568735571da37ea8a7f6619afbec6..e09a201fb89865d5f48b6b0b2797d4650bcbeb29 100644 (file)
@@ -76,6 +76,16 @@ final class FileProcessor extends SingletonFactory
         if (\in_array('*', $allowedFileExtensions)) {
             $allowedFileExtensions = '';
         } else {
+            // The `accept` attribute of `input[type="file"]` is a bit weird and
+            // only validates against the string to the right of the last
+            // period. This means an extension `.tar.gz` can never match.
+            $allowedFileExtensions = \array_unique(
+                \array_map(
+                    static fn(string $fileExtension) => \preg_replace('~.*?([^.]+)$~', '\\1', $fileExtension),
+                    $allowedFileExtensions,
+                ),
+            );
+
             $allowedFileExtensions = \implode(
                 ',',
                 \array_map(