Unverified Commit df3e7a58 authored by Alex Pott's avatar Alex Pott
Browse files

Issue #3151087 by rik-dev, dww, alexpott, Matroskeen: Replace use of... 

Issue #3151087 by rik-dev, dww, alexpott, Matroskeen: Replace use of whitelist/blacklist in file_munge_filename() and its tests

(cherry picked from commit 9eb7a173)
parent 75229805

core/includes/file.inc

+2 −2
Original line number Diff line number Diff line
@@ -683,7 +683,7 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) { 
    // http://php.net/manual/security.filesystem.nullbytes.php

    $filename = str_replace(chr(0), '', $filename);



    $whitelist = array_unique(explode(' ', strtolower(trim($extensions))));

    $allowed_extensions = array_unique(explode(' ', strtolower(trim($extensions))));



    // Split the filename up by periods. The first part becomes the basename

    // the last part the final extension.
@@ -698,7 +698,7 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) { 
    // of allowed extensions.

    foreach ($filename_parts as $filename_part) {

      $new_filename .= '.' . $filename_part;

      if (!in_array(strtolower($filename_part), $whitelist) && preg_match("/^[a-zA-Z]{2,5}\d?$/", $filename_part)) {

      if (!in_array(strtolower($filename_part), $allowed_extensions) && preg_match("/^[a-zA-Z]{2,5}\d?$/", $filename_part)) {

        $new_filename .= '_';

      }

    }

core/tests/Drupal/KernelTests/Core/File/NameMungingTest.php

+6 −6
Original line number Diff line number Diff line
@@ -66,16 +66,16 @@ public function testMungeIgnoreInsecure() { 
  }



  /**

   * White listed extensions are ignored by file_munge_filename().

   * Tests that allowed extensions are ignored by file_munge_filename().

   */

  public function testMungeIgnoreWhitelisted() {

    // Declare our extension as whitelisted. The declared extensions should

    // be case insensitive so test using one with a different case.

  public function testMungeIgnoreAllowedExtensions() {

    // Declare that our extension is allowed. The declared extensions should be

    // case insensitive, so test using one with a different case.

    $munged_name = file_munge_filename($this->nameWithUcExt, $this->badExtension);

    $this->assertSame($munged_name, $this->nameWithUcExt, new FormattableMarkup('The new filename (%munged) matches the original (%original) once the extension has been whitelisted.', ['%munged' => $munged_name, '%original' => $this->nameWithUcExt]));

    $this->assertSame($munged_name, $this->nameWithUcExt);

    // The allowed extensions should also be normalized.

    $munged_name = file_munge_filename($this->name, strtoupper($this->badExtension));

    $this->assertSame($munged_name, $this->name, new FormattableMarkup('The new filename (%munged) matches the original (%original) also when the whitelisted extension is in uppercase.', ['%munged' => $munged_name, '%original' => $this->name]));

    $this->assertSame($munged_name, $this->name);

  }



  /**