You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The ruleset allows to include/require.php, .phtml and .inc files, but php isn't allowed to rename uploaded files containing .ph or .ht. The absence of .inc in the move_uploaded_file deny-list is indeed an oversight, and a pull-request would indeed be welcome :)
Here
inc
,php
andphtml
are whitelisted:snuffleupagus/config/default.rules
Lines 63 to 71 in 857fae6
However, only
\\.ph
and\\.ht
are blacklisted in themove_uploaded_file
rule:snuffleupagus/config/default.rules
Lines 119 to 125 in 857fae6
Is this intentional? If not would you like me to submit a pull request to update the upload related rule?
The text was updated successfully, but these errors were encountered: