From 9e008e634137959c0e656070654f01ed8bf1cc5c Mon Sep 17 00:00:00 2001
From: Maxime Rainville <maxime@silverstripe.com>
Date: Mon, 11 May 2020 13:55:33 +1200
Subject: [PATCH] [CVE-2020-9309] Require MimeUploadValidator on userformis'
 File Upload field

---
 _config/mimevalidator.yml                          | 6 ++++++
 code/Model/EditableFormField/EditableFileField.php | 7 ++++++-
 composer.json                                      | 3 ++-
 3 files changed, 14 insertions(+), 2 deletions(-)
 create mode 100644 _config/mimevalidator.yml

diff --git a/_config/mimevalidator.yml b/_config/mimevalidator.yml
new file mode 100644
index 0000000..75e2e22
--- /dev/null
+++ b/_config/mimevalidator.yml
@@ -0,0 +1,6 @@
+---
+Name: mimeuploadvalidator-userforms
+---
+SilverStripe\Core\Injector\Injector:
+  SilverStripe\Assets\Upload_Validator.userforms:
+    class: SilverStripe\MimeValidator\MimeUploadValidator
diff --git a/code/Model/EditableFormField/EditableFileField.php b/code/Model/EditableFormField/EditableFileField.php
index cd4a725..a91e36b 100755
--- a/code/Model/EditableFormField/EditableFileField.php
+++ b/code/Model/EditableFormField/EditableFileField.php
@@ -4,7 +4,9 @@ namespace SilverStripe\UserForms\Model\EditableFormField;
 
 use SilverStripe\Assets\File;
 use SilverStripe\Assets\Folder;
+use SilverStripe\Assets\Upload_Validator;
 use SilverStripe\Core\Config\Config;
+use SilverStripe\Core\Injector\Injector;
 use SilverStripe\Forms\FileField;
 use SilverStripe\Forms\LiteralField;
 use SilverStripe\Forms\NumericField;
@@ -95,11 +97,14 @@ class EditableFileField extends EditableFormField
         return $result;
     }
 
+
+
     public function getFormField()
     {
         $field = FileField::create($this->Name, $this->Title ?: false)
             ->setFieldHolderTemplate(EditableFormField::class . '_holder')
-            ->setTemplate(__CLASS__);
+            ->setTemplate(__CLASS__)
+            ->setValidator(Injector::inst()->get(Upload_Validator::class . '.userforms'));
 
         $field->setFieldHolderTemplate(EditableFormField::class . '_holder')
             ->setTemplate(__CLASS__);
diff --git a/composer.json b/composer.json
index b4344a9..e2fc7fc 100644
--- a/composer.json
+++ b/composer.json
@@ -33,7 +33,8 @@
         "silverstripe/cms": "^4.0",
         "symbiote/silverstripe-gridfieldextensions": "^3.1",
         "silverstripe/segment-field": "^2.0",
-        "silverstripe/versioned": "^1.0"
+        "silverstripe/versioned": "^1.0",
+        "silverstripe/mimevalidator": "^2.0"
     },
     "require-dev": {
         "phpunit/phpunit": "^5.7",