Added configurable dangerous file upload extensions

system/blueprints/config/security.yaml

@@ -4,7 +4,7 @@ form:
     validation: loose
     fields:
 
-        security_section:
+        xss_section:
             type: section
             title: PLUGIN_ADMIN.XSS_SECURITY
             underline: true
@@ -82,3 +82,18 @@ form:
             validate:
                 type: commalist
 
+        uploads_section:
+            type: section
+            title: PLUGIN_ADMIN.UPLOADS_SECURITY
+            underline: true
+
+
+        uploads_dangerous_extensions:
+            type: selectize
+            size: large
+            label: PLUGIN_ADMIN.UPLOADS_DANGEROUS_EXTENSIONS
+            help: PLUGIN_ADMIN.UPLOADS_DANGEROUS_EXTENSIONS_HELP
+            classes: fancy
+            validate:
+                type: commalist
+

system/config/security.yaml

@@ -23,4 +23,9 @@ xss_dangerous_tags:
     - bgsound
     - title
     - base
-
+uploads_dangerous_extensions:
+    - php
+    - html
+    - htm
+    - js
+    - exe

system/src/Grav/Common/Utils.php

@@ -573,6 +573,13 @@ abstract class Utils
      */
     public static function checkFilename($filename)
     {
+        $dangerous_extensions = Grav::instance()['config']->get('security.uploads_dangerous_extensions', []);
+        array_walk($dangerous_extensions, function(&$val) {
+            $val = '.' . $val;
+        });
+
+        $extension = '.' . pathinfo($filename, PATHINFO_EXTENSION);
+
         return !(
             // Empty filenames are not allowed.
             !$filename
@@ -581,7 +588,7 @@ abstract class Utils
             // Filename should not start or end with dot or space.
             || trim($filename, '. ') !== $filename
             // Filename should not contain .php in it.
-            || strpos($filename, '.php') !== false
+            || static::contains($extension, $dangerous_extensions)
         );
     }