From c3c0d2abb34f5f5ff3bd0d689e0b6ff3cbf4f957 Mon Sep 17 00:00:00 2001
From: tianya <yanghuxiao@vip.qq.com>
Date: Thu, 31 Aug 2023 08:14:36 +0800
Subject: [PATCH] Update api.php

---
 src/admin/api.php | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/admin/api.php b/src/admin/api.php
index 98b53995..e12f54c9 100644
--- a/src/admin/api.php
+++ b/src/admin/api.php
@@ -393,6 +393,16 @@ if ($action === 'is_need_check_code') {
     $filename = $filename.'.'.$fs[count($fs) - 1];
     $filename_name = $filename_name.'.'.$fs[count($fs) - 1];
     $fullfilename = $cfg_basedir.$activepath."/".$filename;
+    if (preg_match('#\.(php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml)$#i', trim($fullfilename))) {
+        echo json_encode(array(
+            "code" => -1,
+            "uploaded" => 0,
+            "error" => array(
+                "message" => "文件扩展名已被系统禁止",
+            ),
+        ));
+        exit;
+    }
     move_uploaded_file($_FILES["file"]["tmp_name"], $fullfilename) or die(json_encode(array(
         "code" => -1,
         "uploaded" => 0,