Vulnerability - Filter can bypassed

[radiusmk]

The plugin can be easily bypassed with a little trick on the request. I submitted an .exe file that on the interface seems like a .txt file. See de examples:

To explore the problem I made this request:

Any file extension can be used.

[ajnyga]

Thanks, sure, that's why I have underlined in the plugin description that this is not a security plugin. Just something that helps journals limit the file types they are receiving.

Having said that, I am happy to include a pr that will do a more detailed check if you have something ready.

[radiusmk]

I'm not a developer, but I think the easiest way to solve the problem is to check the "file" field in the request, in addition to the "name" field.

In checkUpload function only field "name"is validated.

Other way is check if "name" and "file" fields have same value before check extensions.