From 61e194bb6dffd73182f79b845a228d24aac44d89 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 6 Aug 2020 17:37:00 +0200
Subject: [PATCH] Add protection to allow only jpg and png as image file

---
 htdocs/admin/company.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/htdocs/admin/company.php b/htdocs/admin/company.php
index 6268148fdb5..6330909f2c0 100644
--- a/htdocs/admin/company.php
+++ b/htdocs/admin/company.php
@@ -111,6 +111,12 @@ if (($action == 'update' && !GETPOST("cancel", 'alpha'))
 
 	foreach ($arrayofimages as $varforimage)
 	{
+		if (! preg_match('/(\.jpeg|\.jpg|\.png)$/i', $_FILES[$varforimage]["tmp_name"])) {	// Logo can be used on a lot of different places. Only jpg and png can be supported.
+			$langs->load("errors");
+			setEventMessages($langs->trans("ErrorBadImageFormat"), null, 'errors');
+			break;
+		}
+
 		if ($_FILES[$varforimage]["tmp_name"])
 		{
 			$reg = array();