From da28afde818d605179fbb63b96eabafabad876b6 Mon Sep 17 00:00:00 2001
From: Jason Varga <jason@pixelfear.com>
Date: Tue, 14 Nov 2023 14:32:25 -0500
Subject: [PATCH] [3.4] More php file validation (#8992)

---
 src/Http/Controllers/CP/Assets/AssetsController.php             | 2 +-
 src/Http/Controllers/CP/Fieldtypes/FilesFieldtypeController.php | 2 +-
 src/Http/Controllers/FormController.php                         | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/Http/Controllers/CP/Assets/AssetsController.php b/src/Http/Controllers/CP/Assets/AssetsController.php
index 2a1d5f7854..14b51f62c6 100644
--- a/src/Http/Controllers/CP/Assets/AssetsController.php
+++ b/src/Http/Controllers/CP/Assets/AssetsController.php
@@ -69,7 +69,7 @@ public function store(Request $request)
             'container' => 'required',
             'folder' => 'required',
             'file' => ['file', function ($attribute, $value, $fail) {
-                if (in_array(trim(strtolower($value->getClientOriginalExtension())), ['php', 'php3', 'php4', 'php5', 'phtml'])) {
+                if (in_array(trim(strtolower($value->getClientOriginalExtension())), ['php', 'php3', 'php4', 'php5', 'php7', 'php8', 'phtml', 'phar'])) {
                     $fail(__('validation.uploaded'));
                 }
             }],
diff --git a/src/Http/Controllers/CP/Fieldtypes/FilesFieldtypeController.php b/src/Http/Controllers/CP/Fieldtypes/FilesFieldtypeController.php
index 44fec25302..4709f602da 100644
--- a/src/Http/Controllers/CP/Fieldtypes/FilesFieldtypeController.php
+++ b/src/Http/Controllers/CP/Fieldtypes/FilesFieldtypeController.php
@@ -12,7 +12,7 @@ public function upload(Request $request)
     {
         $request->validate([
             'file' => ['file', function ($attribute, $value, $fail) {
-                if (in_array(trim(strtolower($value->getClientOriginalExtension())), ['php', 'php3', 'php4', 'php5', 'phtml'])) {
+                if (in_array(trim(strtolower($value->getClientOriginalExtension())), ['php', 'php3', 'php4', 'php5', 'php7', 'php8', 'phtml', 'phar'])) {
                     $fail(__('validation.uploaded'));
                 }
             }],
diff --git a/src/Http/Controllers/FormController.php b/src/Http/Controllers/FormController.php
index 4db35e204c..8abb61c781 100644
--- a/src/Http/Controllers/FormController.php
+++ b/src/Http/Controllers/FormController.php
@@ -165,7 +165,7 @@ protected function extraRules($fields)
             })
             ->mapWithKeys(function ($field) {
                 return [$field->handle().'.*' => ['file', function ($attribute, $value, $fail) {
-                    if (in_array(trim(strtolower($value->getClientOriginalExtension())), ['php', 'php3', 'php4', 'php5', 'phtml'])) {
+                    if (in_array(trim(strtolower($value->getClientOriginalExtension())), ['php', 'php3', 'php4', 'php5', 'php7', 'php8', 'phtml', 'phar'])) {
                         $fail(__('validation.uploaded'));
                     }
                 }]];