Issue #2112247 by sihv, dgroene, aalamaki, Dennis Walgaard, mErilainen: Fixed...

Issue #2112247 by sihv, dgroene, aalamaki, Dennis Walgaard, mErilainen: Fixed Valid file extensions in file names are not properly enforced when uploading files.

core/includes/file.inc

@@ -880,7 +880,7 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) {
     // Remove any null bytes. See http://php.net/manual/en/security.filesystem.nullbytes.php
     $filename = str_replace(chr(0), '', $filename);
 
-    $whitelist = array_unique(explode(' ', trim($extensions)));
+    $whitelist = array_unique(explode(' ', strtolower(trim($extensions))));
 
     // Split the filename up by periods. The first part becomes the basename
     // the last part the final extension.
@@ -893,7 +893,7 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) {
     // of allowed extensions.
     foreach ($filename_parts as $filename_part) {
       $new_filename .= '.' . $filename_part;
-      if (!in_array($filename_part, $whitelist) && preg_match("/^[a-zA-Z]{2,5}\d?$/", $filename_part)) {
+      if (!in_array(strtolower($filename_part), $whitelist) && preg_match("/^[a-zA-Z]{2,5}\d?$/", $filename_part)) {
         $new_filename .= '_';
       }
     }

core/modules/system/src/Tests/File/NameMungingTest.php

@@ -17,6 +17,7 @@ function setUp() {
     parent::setUp();
     $this->bad_extension = 'php';
     $this->name = $this->randomName() . '.' . $this->bad_extension . '.txt';
+    $this->name_with_uc_ext = $this->randomName() . '.' . strtoupper($this->bad_extension) . '.txt';
   }
 
   /**
@@ -54,9 +55,13 @@ function testMungeIgnoreInsecure() {
    * White listed extensions are ignored by file_munge_filename().
    */
   function testMungeIgnoreWhitelisted() {
-    // Declare our extension as whitelisted.
-    $munged_name = file_munge_filename($this->name, $this->bad_extension);
-    $this->assertIdentical($munged_name, $this->name, format_string('The new filename (%munged) matches the original (%original) once the extension has been whitelisted.', array('%munged' => $munged_name, '%original' => $this->name)));
+    // Declare our extension as whitelisted. The declared extensions should
+    // be case insensitive so test using one with a different case.
+    $munged_name = file_munge_filename($this->name_with_uc_ext, $this->bad_extension);
+    $this->assertIdentical($munged_name, $this->name_with_uc_ext, format_string('The new filename (%munged) matches the original (%original) once the extension has been whitelisted.', array('%munged' => $munged_name, '%original' => $this->name_with_uc_ext)));
+    // The allowed extensions should also be normalized.
+    $munged_name = file_munge_filename($this->name, strtoupper($this->bad_extension));
+    $this->assertIdentical($munged_name, $this->name, format_string('The new filename (%munged) matches the original (%original) also when the whitelisted extension is in uppercase.', array('%munged' => $munged_name, '%original' => $this->name)));
   }
 
   /**