Skip to content
Snippets Groups Projects
Commit 1ddfac8c authored by Alex Pott's avatar Alex Pott
Browse files

Issue #2112247 by sihv, dgroene, aalamaki, Dennis Walgaard, mErilainen: Fixed...

Issue #2112247 by sihv, dgroene, aalamaki, Dennis Walgaard, mErilainen: Fixed Valid file extensions in file names are not properly enforced when uploading files.
parent 77a9ea02
Branches
Tags
2 merge requests!7452Issue #1797438. HTML5 validation is preventing form submit and not fully...,!789Issue #3210310: Adjust Database API to remove deprecated Drupal 9 code in Drupal 10
...@@ -880,7 +880,7 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) { ...@@ -880,7 +880,7 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) {
// Remove any null bytes. See http://php.net/manual/en/security.filesystem.nullbytes.php // Remove any null bytes. See http://php.net/manual/en/security.filesystem.nullbytes.php
$filename = str_replace(chr(0), '', $filename); $filename = str_replace(chr(0), '', $filename);
$whitelist = array_unique(explode(' ', trim($extensions))); $whitelist = array_unique(explode(' ', strtolower(trim($extensions))));
// Split the filename up by periods. The first part becomes the basename // Split the filename up by periods. The first part becomes the basename
// the last part the final extension. // the last part the final extension.
...@@ -893,7 +893,7 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) { ...@@ -893,7 +893,7 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) {
// of allowed extensions. // of allowed extensions.
foreach ($filename_parts as $filename_part) { foreach ($filename_parts as $filename_part) {
$new_filename .= '.' . $filename_part; $new_filename .= '.' . $filename_part;
if (!in_array($filename_part, $whitelist) && preg_match("/^[a-zA-Z]{2,5}\d?$/", $filename_part)) { if (!in_array(strtolower($filename_part), $whitelist) && preg_match("/^[a-zA-Z]{2,5}\d?$/", $filename_part)) {
$new_filename .= '_'; $new_filename .= '_';
} }
} }
......
...@@ -17,6 +17,7 @@ function setUp() { ...@@ -17,6 +17,7 @@ function setUp() {
parent::setUp(); parent::setUp();
$this->bad_extension = 'php'; $this->bad_extension = 'php';
$this->name = $this->randomName() . '.' . $this->bad_extension . '.txt'; $this->name = $this->randomName() . '.' . $this->bad_extension . '.txt';
$this->name_with_uc_ext = $this->randomName() . '.' . strtoupper($this->bad_extension) . '.txt';
} }
/** /**
...@@ -54,9 +55,13 @@ function testMungeIgnoreInsecure() { ...@@ -54,9 +55,13 @@ function testMungeIgnoreInsecure() {
* White listed extensions are ignored by file_munge_filename(). * White listed extensions are ignored by file_munge_filename().
*/ */
function testMungeIgnoreWhitelisted() { function testMungeIgnoreWhitelisted() {
// Declare our extension as whitelisted. // Declare our extension as whitelisted. The declared extensions should
$munged_name = file_munge_filename($this->name, $this->bad_extension); // be case insensitive so test using one with a different case.
$this->assertIdentical($munged_name, $this->name, format_string('The new filename (%munged) matches the original (%original) once the extension has been whitelisted.', array('%munged' => $munged_name, '%original' => $this->name))); $munged_name = file_munge_filename($this->name_with_uc_ext, $this->bad_extension);
$this->assertIdentical($munged_name, $this->name_with_uc_ext, format_string('The new filename (%munged) matches the original (%original) once the extension has been whitelisted.', array('%munged' => $munged_name, '%original' => $this->name_with_uc_ext)));
// The allowed extensions should also be normalized.
$munged_name = file_munge_filename($this->name, strtoupper($this->bad_extension));
$this->assertIdentical($munged_name, $this->name, format_string('The new filename (%munged) matches the original (%original) also when the whitelisted extension is in uppercase.', array('%munged' => $munged_name, '%original' => $this->name)));
} }
/** /**
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment