Headline
CVE-2021-43617: debian/php-cgi.conf · dc253886b5b2e9bc8d9e36db787abb083a667fd8 · Debian PHP Team / php
Laravel Framework through 8.70.2 does not sufficiently block the upload of executable PHP content because Illuminate/Validation/Concerns/ValidatesAttributes.php lacks a check for .phar files, which are handled as application/x-httpd-php on systems based on Debian. In some use cases, this may be related to file-type validation for image upload (e.g., differences between getClientOriginalExtension and other approaches).
The default file extension configuration has been changed to add .phar and… · dc253886
Ondrej Sury authored May 04, 2017
The default file extension configuration has been changed to add .phar and remove (some) obsolete extensions