Skip to content
Snippets Groups Projects
Unverified Commit fdedb4e9 authored by Alex Pott's avatar Alex Pott
Browse files

Issue #3151087 by rik-dev, dww, alexpott, Matroskeen: Replace use of... 

Issue #3151087 by rik-dev, dww, alexpott, Matroskeen: Replace use of whitelist/blacklist in file_munge_filename() and its tests

(cherry picked from commit 9eb7a173)
parent 09fe2d3e
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
core/includes/file.inc
+ 2
2
View file @ fdedb4e9
...@@ -185,7 +185,7 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) { ...@@ -185,7 +185,7 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) {
// http://php.net/manual/security.filesystem.nullbytes.php // http://php.net/manual/security.filesystem.nullbytes.php
$filename = str_replace(chr(0), '', $filename); $filename = str_replace(chr(0), '', $filename);
$whitelist = array_unique(explode(' ', strtolower(trim($extensions)))); $allowed_extensions = array_unique(explode(' ', strtolower(trim($extensions))));
// Split the filename up by periods. The first part becomes the basename // Split the filename up by periods. The first part becomes the basename
// the last part the final extension. // the last part the final extension.
...@@ -200,7 +200,7 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) { ...@@ -200,7 +200,7 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) {
// of allowed extensions. // of allowed extensions.
foreach ($filename_parts as $filename_part) { foreach ($filename_parts as $filename_part) {
$new_filename .= '.' . $filename_part; $new_filename .= '.' . $filename_part;
if (!in_array(strtolower($filename_part), $whitelist) && preg_match("/^[a-zA-Z]{2,5}\d?$/", $filename_part)) { if (!in_array(strtolower($filename_part), $allowed_extensions) && preg_match("/^[a-zA-Z]{2,5}\d?$/", $filename_part)) {
$new_filename .= '_'; $new_filename .= '_';
} }
} }
......
core/tests/Drupal/KernelTests/Core/File/NameMungingTest.php
+ 6
6
View file @ fdedb4e9
...@@ -66,16 +66,16 @@ public function testMungeIgnoreInsecure() { ...@@ -66,16 +66,16 @@ public function testMungeIgnoreInsecure() {
} }
/** /**
* White listed extensions are ignored by file_munge_filename(). * Tests that allowed extensions are ignored by file_munge_filename().
*/ */
public function testMungeIgnoreWhitelisted() { public function testMungeIgnoreAllowedExtensions() {
// Declare our extension as whitelisted. The declared extensions should // Declare that our extension is allowed. The declared extensions should be
// be case insensitive so test using one with a different case. // case insensitive, so test using one with a different case.
$munged_name = file_munge_filename($this->nameWithUcExt, $this->badExtension); $munged_name = file_munge_filename($this->nameWithUcExt, $this->badExtension);
$this->assertSame($munged_name, $this->nameWithUcExt, new FormattableMarkup('The new filename (%munged) matches the original (%original) once the extension has been whitelisted.', ['%munged' => $munged_name, '%original' => $this->nameWithUcExt])); $this->assertSame($munged_name, $this->nameWithUcExt);
// The allowed extensions should also be normalized. // The allowed extensions should also be normalized.
$munged_name = file_munge_filename($this->name, strtoupper($this->badExtension)); $munged_name = file_munge_filename($this->name, strtoupper($this->badExtension));
$this->assertSame($munged_name, $this->name, new FormattableMarkup('The new filename (%munged) matches the original (%original) also when the whitelisted extension is in uppercase.', ['%munged' => $munged_name, '%original' => $this->name])); $this->assertSame($munged_name, $this->name);
} }
/** /**
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment