#6 Malicious uploads

[Anonymous]

If we set our root path;

PGRFileManagerConfig::$rootPath = '/images';

meaning that the files will be stored in http://www.mysite.com/images which will have the execution rights. So if someone uploads a jpeg file that contains a php script inside and renames it using the file manager he/she can execute this file. So while renaming the file we should check something like;

//check rename to be image extension again
if (!(preg_match('/^.*\.(jpg|gif|jpeg|png|bmp)$/', strtolower($newFilename)) > 0)) die();

or possibly prevent direct access to upload folder using a .htaccess file.