Why is the PHP file extension checked twice in FileRules.php?


why is the PHP file extension checked twice in the FileRules.php file? I refer to these two spots:

  1. case: https://github.com/getkirby/kirby/blob/80b69380e672565a849037232c9951d1e32774c8/src/Cms/FileRules.php#L121
  2. case: https://github.com/getkirby/kirby/blob/80b69380e672565a849037232c9951d1e32774c8/src/Cms/FileRules.php#L128

Best Regards,

Just a stab in the dark but i think line 28 is for preventing php file uploads in the panel, and the other is for other cases where that extension is not allowed… something like that.

Obviously PHP and EXE files can be made to be malicous, and some servers will display an index.html file before trying for an index.php file, which will obvious upset the website in the browser.

1 Like

I’m not sure about your theory because according to my understanding they will both trigger for the same cases of php files. So if any of them trigger, the first one is enough. You might be right; I’m not too experienced with PHP or Kirby 3’s built-in functions. I’m curious for more replies :slight_smile: . Thank you!

The first rule kicks in if the filename is, for example, index.php. The second one kicks in if the file is renamed to index.php.json or something like that.

Hm but why does it check then $extension and not $file? When is the second case (index.php.json) a problem?

Consider the case when a filename starts with a dot, for example, pathinfo() returns the filename as extension.