From 23df5596e8ae109cec601b8641a33a1f0361db9e Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Wed, 17 Jun 2020 13:42:38 +0200
Subject: [PATCH] FIX vulenrability reported by wizlynx WLX-2020-012

---
 htdocs/core/lib/functions.lib.php | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 37dbcbf5ded..f1ff8ee121b 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -8562,15 +8562,18 @@ function dolGetButtonTitle($label, $helpText = '', $iconClass = 'fa fa-file', $u
 /**
  * Return if a file can contains executable content
  *
- * @param   string  $filename       File NamedRange
+ * @param   string  $filename       File name to test
  * @return  boolean                 True if yes, False if no
  */
 function isAFileWithExecutableContent($filename)
 {
-    if (preg_match('/\.(htm|html|js|php|php\d+|phtml|pl|py|cgi|ksh|sh|bash|bat|cmd|wpk|exe|dmg)$/i', $filename))
+    if (preg_match('/\.(htm|html|js|phar|php|php\d+|phtml|pht|pl|py|cgi|ksh|sh|shtml|bash|bat|cmd|wpk|exe|dmg)$/i', $filename))
     {
         return true;
     }
+    if (preg_match('/^\./', $filename)) {	// We consider file starting with a . as dangerous as executable files. For example .htaccess, .xxx
+		return true;
+    }
     return false;
 }