From 9aa8de4f7dda5f9425b867ee9012c1f80b290ce9 Mon Sep 17 00:00:00 2001
From: camer0n <e107inc@gmail.com>
Date: Tue, 22 Aug 2023 13:28:10 -0700
Subject: [PATCH] Issue GHSA-92fr-7h4f-22pp

---
 e107_admin/users.php                 | 2 +-
 e107_handlers/file_class.php         | 4 ++++
 e107_tests/tests/unit/e_fileTest.php | 7 ++++++-
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/e107_admin/users.php b/e107_admin/users.php
index 003708d240..beb7d6a3e0 100644
--- a/e107_admin/users.php
+++ b/e107_admin/users.php
@@ -1684,7 +1684,7 @@ function AddPage()
 		}
 
 		// Make Admin.
-		if(getperms('4|U0')) // Quick Add User access should not be allowed to create new users with escalated perms. 
+		if(getperms('4|U0')) // Quick Add User access should not be allowed to create new users with escalated perms.
 		{
 			$text .= "
 			<tr>
diff --git a/e107_handlers/file_class.php b/e107_handlers/file_class.php
index 5c029b58e1..c054ce12fc 100644
--- a/e107_handlers/file_class.php
+++ b/e107_handlers/file_class.php
@@ -2233,6 +2233,10 @@ public function isAllowedType($file, $targetFile = '')
 				$tmp = parse_url($targetFile);
 				$targetFile = $tmp['path'];
 				$remote = true;
+				if(!empty($tmp['host']) && ($tmp['host'] === 'localhost' || $tmp['host'] === '127.0.0.1'))
+				{
+					return false;
+				}
 			}
 
 			$ext = pathinfo($targetFile, PATHINFO_EXTENSION);
diff --git a/e107_tests/tests/unit/e_fileTest.php b/e107_tests/tests/unit/e_fileTest.php
index 89aeddbca8..d92da930cb 100644
--- a/e107_tests/tests/unit/e_fileTest.php
+++ b/e107_tests/tests/unit/e_fileTest.php
@@ -157,9 +157,14 @@ public function testIsAllowedType()
 			array('path'=> e_SYSTEM."filetypes.xml",                 'expected' => true), // permitted
 			array('path'=> e_PLUGIN."gallery/images/butterfly.jpg",  'expected' => true), // permitted
 			array('path'=> 'http://127.0.0.1:8070/file.svg',        'expected'=>false), // not permitted
-			array('path'=> 'http://127.0.0.1:8070/butterfly.jpg',   'expected'=>true), // permitted
+			array('path'=> 'http://127.0.0.1:8070/butterfly.jpg',   'expected'=>false), // not permitted
+			array('path'=> 'http://localhost:8070/file.svg',        'expected'=>false), // not permitted
+			array('path'=> 'http://localhost:8070/butterfly.jpg',   'expected'=>false), // not permitted
+			array('path'=> 'http://domain.com:8070/file.svg',        'expected'=>false), // suspicious
+			array('path'=> 'http://domain.com:8070/butterfly.jpg',   'expected'=>true), // permitted
 			array('path'=> 'http://127.0.0.1/bla.php',              'expected'=>false), // suspicious
 			array('path'=> 'http://127.0.0.1/bla.php?butterfly.jpg',   'expected'=>false), // suspicious
+
 		);
 
 		foreach($isAllowedTest as $file)