Issue #2112247 by sihv, dgroene, aalamaki, Dennis Walgaard, mErilainen: Fixed...

Issue #2112247 by sihv, dgroene, aalamaki, Dennis Walgaard, mErilainen: Fixed Valid file extensions in file names are not properly enforced when uploading files.

Issue #2112247 by sihv, dgroene, aalamaki, Dennis Walgaard, mErilainen: Fixed...
Issue #2112247 by sihv, dgroene, aalamaki, Dennis Walgaard, mErilainen: Fixed Valid file extensions in file names are not properly enforced when uploading files.
1ddfac8c · alexpott · 77a9ea02 · 1ddfac8c · 1ddfac8c
Commit 1ddfac8c authored Jul 24, 2014 by alexpott
--- a/core/includes/file.inc
+++ b/core/includes/file.inc
@@ -880,7 +880,7 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) {
    // Remove any null bytes. See http://php.net/manual/en/security.filesystem.nullbytes.php
    $filename = str_replace(chr(0), '', $filename);

-    $whitelist = array_unique(explode(' ', trim($extensions)));
+    $whitelist = array_unique(explode(' ', strtolower(trim($extensions))));

    // Split the filename up by periods. The first part becomes the basename
    // the last part the final extension.
@@ -893,7 +893,7 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) {
    // of allowed extensions.
    foreach ($filename_parts as $filename_part) {
      $new_filename .= '.' . $filename_part;
-      if (!in_array($filename_part, $whitelist) && preg_match("/^[a-zA-Z]{2,5}\d?$/", $filename_part)) {
+      if (!in_array(strtolower($filename_part), $whitelist) && preg_match("/^[a-zA-Z]{2,5}\d?$/", $filename_part)) {
        $new_filename .= '_';
      }
    }

--- a/core/modules/system/src/Tests/File/NameMungingTest.php
+++ b/core/modules/system/src/Tests/File/NameMungingTest.php
@@ -17,6 +17,7 @@ function setUp() {
    parent::setUp();
    $this->bad_extension = 'php';
    $this->name = $this->randomName() . '.' . $this->bad_extension . '.txt';
+    $this->name_with_uc_ext = $this->randomName() . '.' . strtoupper($this->bad_extension) . '.txt';
  }

  /**
@@ -54,9 +55,13 @@ function testMungeIgnoreInsecure() {
   * White listed extensions are ignored by file_munge_filename().
   */
  function testMungeIgnoreWhitelisted() {
-    // Declare our extension as whitelisted.
-    $munged_name = file_munge_filename($this->name, $this->bad_extension);
-    $this->assertIdentical($munged_name, $this->name, format_string('The new filename (%munged) matches the original (%original) once the extension has been whitelisted.', array('%munged' => $munged_name, '%original' => $this->name)));
+    // Declare our extension as whitelisted. The declared extensions should
+    // be case insensitive so test using one with a different case.
+    $munged_name = file_munge_filename($this->name_with_uc_ext, $this->bad_extension);
+    $this->assertIdentical($munged_name, $this->name_with_uc_ext, format_string('The new filename (%munged) matches the original (%original) once the extension has been whitelisted.', array('%munged' => $munged_name, '%original' => $this->name_with_uc_ext)));
+    // The allowed extensions should also be normalized.
+    $munged_name = file_munge_filename($this->name, strtoupper($this->bad_extension));
+    $this->assertIdentical($munged_name, $this->name, format_string('The new filename (%munged) matches the original (%original) also when the whitelisted extension is in uppercase.', array('%munged' => $munged_name, '%original' => $this->name)));
  }

  /**