Commit 5d89911f authored by webchick's avatar webchick

Issue #1870612 by greggles, aasarava, quicksketch, Justin_KleinKeane, John...

Issue #1870612 by greggles, aasarava, quicksketch, Justin_KleinKeane, John Morahan: SA-CORE-2012-004 - Drupal core - Arbitrary code execution via file upload.
parent 0f2232c3
......@@ -817,6 +817,9 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) {
// Allow potentially insecure uploads for very savvy users and admin
if (!variable_get('allow_insecure_uploads', 0)) {
// Remove any null bytes. See http://php.net/manual/en/security.filesystem.nullbytes.php
$filename = str_replace(chr(0), '', $filename);
$whitelist = array_unique(explode(' ', trim($extensions)));
// Split the filename up by periods. The first part becomes the basename
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment