From 3c9cc69364a45fd3f92d4bd606344b5dd1205d6a Mon Sep 17 00:00:00 2001 From: Fraenkiman Date: Sat, 29 Jul 2023 13:12:30 +0200 Subject: [PATCH 1/2] Prevents upload of files with .xsig extension Fixes Vulnerability Stored XSS #217 --- admin/panels/uploader/admin.uploader.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/admin/panels/uploader/admin.uploader.php b/admin/panels/uploader/admin.uploader.php index e307479..ca3e813 100755 --- a/admin/panels/uploader/admin.uploader.php +++ b/admin/panels/uploader/admin.uploader.php @@ -99,7 +99,8 @@ class admin_uploader_default extends AdminPanelAction { 'svg', 'xml', 'md', - 'pages' + 'pages', + 'xsig' ); $imgs = array( From 3343bcc673b3a6eaad43eeb3173b5743339e90b2 Mon Sep 17 00:00:00 2001 From: Arvid Zimmermann Date: Sat, 2 Sep 2023 12:18:20 +0200 Subject: [PATCH 2/2] Update CHANGELOG.md added #217 --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 42eb1a2..454cad8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -60,7 +60,7 @@ ## Security - Possible XSS prevented: Session cookie missed the "secure" and "httponly" flags -- Proper check of uploaded files ([#152](https://github.com/flatpressblog/flatpress/issues/152), [#170](https://github.com/flatpressblog/flatpress/issues/170)) +- Proper check of uploaded files ([#152](https://github.com/flatpressblog/flatpress/issues/152), [#170](https://github.com/flatpressblog/flatpress/issues/170), [#217](https://github.com/flatpressblog/flatpress/issues/217)) - Possible XSS prevented: Admin Area URL ([#153](https://github.com/flatpressblog/flatpress/issues/153)) - Possible XSS prevented: Upload of misc. XML file types ([#172](https://github.com/flatpressblog/flatpress/issues/172), [#178](https://github.com/flatpressblog/flatpress/issues/178), [#188](https://github.com/flatpressblog/flatpress/issues/188)) - Directory browsing prevented ([#174](https://github.com/flatpressblog/flatpress/issues/174))