Example of whitelist:
$fileName = basename($_FILES["uploadFile"]["name"]);
if (!preg_match('^.*\\.(jpg|jpeg|png|gif)', $fileName)) {
echo "Only images are allowed";
die();
}
When we can send .jpg.php
In case PHP has a config such as (in /etc/apache2/mods-enabled/php7.4.conf):
<FilesMatch ".+\\.ph(ar|p|tml)">
SetHandler application/x-httpd-php
</FilesMatch>
The pattern to dermermine PHP executable files is invalid, because missing a ‘$’, the following will be also interpreted: .php.jpg
Some injectable characters:
%20%0a%00%0d0a