Block certain file types from being uploaded in OJS

I was not able to find a method inside OJS to block specific files types from being uploaded. OJS has the ability to upload any file type to an article and we kept getting hacked as they were able to upload a .phtml file to the article and then use this file to overwrite the index.php file. I came up with the below solution to stop .phtml files from being uploaded. You can modify this to block any file type or more than one.

From the following file, the lines in red were added to block the .phtml file from being upload. This same script can be used in the future to block other file types if required.


Find the section below and add the lines in red in the same spots or copy and replace the whole function:

* Upload a file.
* @param $fileName string the name of the file used in the POST form
* @param $dest string the path where the file is to be saved
* @return boolean returns true if successful
function uploadFile($fileName, $destFileName) {
    $destDir = dirname($destFileName);
// Get the file extension
    $name = $_FILES[$fileName]['name'];
    $ext = end((explode(".",$name)));
    if (!$this‐>fileExists($destDir, 'dir')) {
        // Try to create the destination directory
    if (!isset($_FILES[$fileName])) return false;
    // block phtml files
    if ($ext == 'phtml') return false;
    // to block more than one file type use if ($ext == 'phtml' || $ext == 'php') return false;
    if (move_uploaded_file($_FILES[$fileName]['tmp_name'], $destFileName))
        return $this‐>setMode($destFileName, FILE_MODE_MASK);
    return false;

I also secured the root public_html to only allow read and execute as there was no need to all writes to the root of this folder.

I hope someone else finds this useful.


Note that the only known vector for someone to upload and execute a malicious file is to have your files_dir exposed to the web. This is inherently insecure. If you keep your files_dir outside of your web root (or blocked by your webserver’s access control), malicious actors could still upload such a file, but they wouldn’t be able to do anything with it.

1 Like