Skip to content
Snippets Groups Projects
Unverified Commit 9eb7a173 authored by Alex Pott's avatar Alex Pott
Browse files

Issue #3151087 by rik-dev, dww, alexpott, Matroskeen: Replace use of... 

Issue #3151087 by rik-dev, dww, alexpott, Matroskeen: Replace use of whitelist/blacklist in file_munge_filename() and its tests
parent 30c286f4
No related branches found
No related tags found
8 merge requests!7452Issue #1797438. HTML5 validation is preventing form submit and not fully...,!1012Issue #3226887: Hreflang on non-canonical content pages,!789Issue #3210310: Adjust Database API to remove deprecated Drupal 9 code in Drupal 10,!596Issue #3046532: deleting an entity reference field, used in a contextual view, makes the whole site unrecoverable,!496Issue #2463967: Use .user.ini file for PHP settings,!144Issue #2666286: Clean up menu_ui to conform to Drupal coding standards,!16Draft: Resolve #2081585 "History storage",!13Resolve #2903456
Hide whitespace changes
Inline Side-by-side
core/includes/file.inc
+ 2
2
View file @ 9eb7a173
......@@ -185,7 +185,7 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) {
// http://php.net/manual/security.filesystem.nullbytes.php
$filename = str_replace(chr(0), '', $filename);
$whitelist = array_unique(explode(' ', strtolower(trim($extensions))));
$allowed_extensions = array_unique(explode(' ', strtolower(trim($extensions))));
// Split the filename up by periods. The first part becomes the basename
// the last part the final extension.
......@@ -200,7 +200,7 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) {
// of allowed extensions.
foreach ($filename_parts as $filename_part) {
$new_filename .= '.' . $filename_part;
if (!in_array(strtolower($filename_part), $whitelist) && preg_match("/^[a-zA-Z]{2,5}\d?$/", $filename_part)) {
if (!in_array(strtolower($filename_part), $allowed_extensions) && preg_match("/^[a-zA-Z]{2,5}\d?$/", $filename_part)) {
$new_filename .= '_';
}
}
......
core/tests/Drupal/KernelTests/Core/File/NameMungingTest.php
+ 6
6
View file @ 9eb7a173
......@@ -66,16 +66,16 @@ public function testMungeIgnoreInsecure() {
}
/**
* White listed extensions are ignored by file_munge_filename().
* Tests that allowed extensions are ignored by file_munge_filename().
*/
public function testMungeIgnoreWhitelisted() {
// Declare our extension as whitelisted. The declared extensions should
// be case insensitive so test using one with a different case.
public function testMungeIgnoreAllowedExtensions() {
// Declare that our extension is allowed. The declared extensions should be
// case insensitive, so test using one with a different case.
$munged_name = file_munge_filename($this->nameWithUcExt, $this->badExtension);
$this->assertSame($munged_name, $this->nameWithUcExt, new FormattableMarkup('The new filename (%munged) matches the original (%original) once the extension has been whitelisted.', ['%munged' => $munged_name, '%original' => $this->nameWithUcExt]));
$this->assertSame($munged_name, $this->nameWithUcExt);
// The allowed extensions should also be normalized.
$munged_name = file_munge_filename($this->name, strtoupper($this->badExtension));
$this->assertSame($munged_name, $this->name, new FormattableMarkup('The new filename (%munged) matches the original (%original) also when the whitelisted extension is in uppercase.', ['%munged' => $munged_name, '%original' => $this->name]));
$this->assertSame($munged_name, $this->name);
}
/**
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment