Merge commit from fork

michalsn · web-flow · commit 29299349e7d2 · 2026-05-21T01:18:46.000+08:00
* fix: validate client extension in ext_in upload rule

* add changelog and upgrade notes
diff --git a/system/Validation/StrictRules/FileRules.php b/system/Validation/StrictRules/FileRules.php
@@ -211,7 +211,14 @@ public function ext_in(?string $blank, string $params): bool
                 return true;
             }
 
-            if (! in_array($file->guessExtension(), $params, true)) {
+            // Check the real filename extension, not only the guessed extension.
+            $clientExtension = strtolower($file->getClientExtension());
+
+            if ($clientExtension === '' || ! in_array($clientExtension, $params, true)) {
+                return false;
+            }
+
+            if ($file->guessExtension() !== $clientExtension) {
                 return false;
             }
         }
diff --git a/tests/system/Validation/StrictRules/FileRulesTest.php b/tests/system/Validation/StrictRules/FileRulesTest.php
@@ -316,6 +316,20 @@ public function testExtensionOk(): void
         $this->assertTrue($this->validation->run([]));
     }
 
+    public function testExtensionOkWithMatchingClientExtensionAndMimeType(): void
+    {
+        $payload = $this->createGifPayload();
+
+        try {
+            $this->setUploadedAvatar($payload, 'my-avatar.gif');
+
+            $this->validation->setRules(['avatar' => 'ext_in[avatar,gif]']);
+            $this->assertTrue($this->validation->run([]));
+        } finally {
+            unlink($payload);
+        }
+    }
+
     public function testExtensionNotOk(): void
     {
         $this->validation->setRules(['avatar' => 'ext_in[avatar,xls,doc,ppt]']);
@@ -327,4 +341,72 @@ public function testExtensionImpossible(): void
         $this->validation->setRules(['avatar' => 'ext_in[unknown,xls,doc,ppt]']);
         $this->assertFalse($this->validation->run([]));
     }
+
+    public function testExtensionFailsForMismatchedClientExtension(): void
+    {
+        $payload = $this->createGifPayload();
+
+        try {
+            $this->setUploadedAvatar($payload, 'shell.php');
+
+            $this->validation->setRules(['avatar' => 'ext_in[avatar,gif]']);
+            $this->assertFalse($this->validation->run([]));
+        } finally {
+            unlink($payload);
+        }
+    }
+
+    public function testExtensionFailsForAllowedButMimeIncompatibleClientExtension(): void
+    {
+        $payload = $this->createGifPayload();
+
+        try {
+            $this->setUploadedAvatar($payload, 'my-avatar.jpg');
+
+            $this->validation->setRules(['avatar' => 'ext_in[avatar,jpg,gif]']);
+            $this->assertFalse($this->validation->run([]));
+        } finally {
+            unlink($payload);
+        }
+    }
+
+    public function testExtensionFailsForExtensionlessClientFilename(): void
+    {
+        $payload = $this->createGifPayload();
+
+        try {
+            $this->setUploadedAvatar($payload, 'my-avatar');
+
+            $this->validation->setRules(['avatar' => 'ext_in[avatar,gif]']);
+            $this->assertFalse($this->validation->run([]));
+        } finally {
+            unlink($payload);
+        }
+    }
+
+    private function createGifPayload(): string
+    {
+        $payload = tempnam(sys_get_temp_dir(), 'ci4-upload-poc-');
+        $this->assertIsString($payload);
+
+        $gif = base64_decode('R0lGODlhAQABAIAAAAAAAP///ywAAAAAAQABAAACAUwAOw==', true);
+        $this->assertIsString($gif);
+
+        file_put_contents($payload, $gif);
+
+        return $payload;
+    }
+
+    private function setUploadedAvatar(string $payload, string $name): void
+    {
+        service('superglobals')->setFilesArray([
+            'avatar' => [
+                'tmp_name' => $payload,
+                'name'     => $name,
+                'size'     => filesize($payload),
+                'type'     => 'image/gif',
+                'error'    => UPLOAD_ERR_OK,
+            ],
+        ]);
+    }
 }
diff --git a/user_guide_src/source/changelogs/v4.7.3.rst b/user_guide_src/source/changelogs/v4.7.3.rst
@@ -10,6 +10,17 @@ Release Date: Unreleased
     :local:
     :depth: 3
 
+********
+SECURITY
+********
+
+- **Validation:** The ``ext_in`` file upload validation rule now validates the
+  client filename extension and verifies that it matches the detected MIME type.
+  Previously, ``ext_in`` only checked the MIME-derived guessed extension, so a
+  file with a mismatched client extension could pass validation.
+  See the `Security advisory GHSA-2gr4-ppc7-7mhx <https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-2gr4-ppc7-7mhx>`_
+  for more information.
+
 ********
 BREAKING
 ********
diff --git a/user_guide_src/source/installation/upgrade_473.rst b/user_guide_src/source/installation/upgrade_473.rst
@@ -30,6 +30,20 @@ upgrading. The easiest way is to re-run the install command:
 Breaking Changes
 ****************
 
+File Validation
+===============
+
+The ``ext_in`` file upload validation rule now checks the client filename
+extension and verifies that the detected MIME type is associated with that
+extension. Previously, ``ext_in`` only checked the MIME-derived guessed
+extension.
+
+This means files with no client filename extension, or files whose client
+filename extension does not match the detected MIME type, now fail ``ext_in``
+validation. If your application intentionally accepts such files, remove
+``ext_in`` from those validation rules and use a custom validation rule that
+matches your application's requirements.
+
 *********************
 Breaking Enhancements
 *********************
diff --git a/user_guide_src/source/libraries/validation.rst b/user_guide_src/source/libraries/validation.rst
@@ -1108,8 +1108,10 @@ min_dims                Yes         Fails if the minimum width and height of an
                                     v4.6.0.)
 mime_in                 Yes         Fails if the file's mime type is not one     ``mime_in[field_name,image/png,image/jpeg]``
                                     listed in the parameters.
-ext_in                  Yes         Fails if the file's extension is not one     ``ext_in[field_name,png,jpg,gif]``
-                                    listed in the parameters.
+ext_in                  Yes         Fails if the client filename's extension is  ``ext_in[field_name,png,jpg,gif]``
+                                    not one listed in the parameters, or if the
+                                    detected MIME type does not match the MIME
+                                    types associated with the extension.
 is_image                Yes         Fails if the file cannot be determined to be ``is_image[field_name]``
                                     an image based on the mime type.
 ======================= ========== ============================================= ===================================================

Original file line number	Diff line number	Diff line change
`@@ -211,7 +211,14 @@ public function ext_in(?string $blank, string $params): bool`
`211`	`211`	`return true;`
`212`	`212`	`}`
`213`	`213`
`214`		`- if (! in_array($file->guessExtension(), $params, true)) {`
	`214`	`+ // Check the real filename extension, not only the guessed extension.`
	`215`	`+ $clientExtension = strtolower($file->getClientExtension());`
	`216`	`+`
	`217`	`+ if ($clientExtension === '' \|\| ! in_array($clientExtension, $params, true)) {`
	`218`	`+ return false;`
	`219`	`+ }`
	`220`	`+`
	`221`	`+ if ($file->guessExtension() !== $clientExtension) {`
`215`	`222`	`return false;`
`216`	`223`	`}`
`217`	`224`	`}`