Unverified Commit fdedb4e9 authored by alexpott's avatar alexpott

Issue #3151087 by rik-dev, dww, alexpott, Matroskeen: Replace use of...

Issue #3151087 by rik-dev, dww, alexpott, Matroskeen: Replace use of whitelist/blacklist in file_munge_filename() and its tests

(cherry picked from commit 9eb7a173)
parent 09fe2d3e
......@@ -185,7 +185,7 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) {
// http://php.net/manual/security.filesystem.nullbytes.php
$filename = str_replace(chr(0), '', $filename);
$whitelist = array_unique(explode(' ', strtolower(trim($extensions))));
$allowed_extensions = array_unique(explode(' ', strtolower(trim($extensions))));
// Split the filename up by periods. The first part becomes the basename
// the last part the final extension.
......@@ -200,7 +200,7 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) {
// of allowed extensions.
foreach ($filename_parts as $filename_part) {
$new_filename .= '.' . $filename_part;
if (!in_array(strtolower($filename_part), $whitelist) && preg_match("/^[a-zA-Z]{2,5}\d?$/", $filename_part)) {
if (!in_array(strtolower($filename_part), $allowed_extensions) && preg_match("/^[a-zA-Z]{2,5}\d?$/", $filename_part)) {
$new_filename .= '_';
}
}
......
......@@ -66,16 +66,16 @@ public function testMungeIgnoreInsecure() {
}
/**
* White listed extensions are ignored by file_munge_filename().
* Tests that allowed extensions are ignored by file_munge_filename().
*/
public function testMungeIgnoreWhitelisted() {
// Declare our extension as whitelisted. The declared extensions should
// be case insensitive so test using one with a different case.
public function testMungeIgnoreAllowedExtensions() {
// Declare that our extension is allowed. The declared extensions should be
// case insensitive, so test using one with a different case.
$munged_name = file_munge_filename($this->nameWithUcExt, $this->badExtension);
$this->assertSame($munged_name, $this->nameWithUcExt, new FormattableMarkup('The new filename (%munged) matches the original (%original) once the extension has been whitelisted.', ['%munged' => $munged_name, '%original' => $this->nameWithUcExt]));
$this->assertSame($munged_name, $this->nameWithUcExt);
// The allowed extensions should also be normalized.
$munged_name = file_munge_filename($this->name, strtoupper($this->badExtension));
$this->assertSame($munged_name, $this->name, new FormattableMarkup('The new filename (%munged) matches the original (%original) also when the whitelisted extension is in uppercase.', ['%munged' => $munged_name, '%original' => $this->name]));
$this->assertSame($munged_name, $this->name);
}
/**
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment