diff --git a/core/includes/file.inc b/core/includes/file.inc deleted file mode 100644 index c0be1e0253f..00000000000 --- a/core/includes/file.inc +++ /dev/null @@ -1,218 +0,0 @@ -generateAbsoluteString($uri); - } - catch (InvalidStreamWrapperException $e) { - return FALSE; - } -} - -/** - * Transforms an absolute URL of a local file to a relative URL. - * - * May be useful to prevent problems on multisite set-ups and prevent mixed - * content errors when using HTTPS + HTTP. - * - * @param string $file_url - * A file URL of a local file as generated by - * FileUrlGeneratorInterface::generateString(). - * - * @return string - * If the file URL indeed pointed to a local file and was indeed absolute, - * then the transformed, relative URL to the local file. Otherwise: the - * original value of $file_url. - * - * @deprecated in drupal:9.3.0 and is removed from drupal:10.0.0. - * Use \Drupal\Core\File\FileUrlGenerator::transformRelative() instead. - * - * @see https://www.drupal.org/node/2940031 - * @see \Drupal\Core\File\FileUrlGeneratorInterface::transformRelative() - */ -function file_url_transform_relative($file_url) { - @trigger_error('file_url_transform_relative() is deprecated in drupal:9.3.0 and is removed from drupal:10.0.0. Use \Drupal\Core\File\FileUrlGenerator::transformRelative() instead. See https://www.drupal.org/node/2940031', E_USER_DEPRECATED); - return \Drupal::service('file_url_generator')->transformRelative($file_url); -} - -/** - * Constructs a URI to Drupal's default files location given a relative path. - * - * @deprecated in drupal:9.3.0 and is removed from drupal:10.0.0 without - * replacement. - * - * @see https://www.drupal.org/node/3223091 - */ -function file_build_uri($path) { - @trigger_error('file_build_uri() is deprecated in drupal:9.3.0 and is removed from drupal:10.0.0 without replacement. See https://www.drupal.org/node/3223091', E_USER_DEPRECATED); - $uri = \Drupal::config('system.file')->get('default_scheme') . '://' . $path; - /** @var \Drupal\Core\StreamWrapper\StreamWrapperManagerInterface $stream_wrapper_manager */ - $stream_wrapper_manager = \Drupal::service('stream_wrapper_manager'); - return $stream_wrapper_manager->normalizeUri($uri); -} - -/** - * Modifies a filename as needed for security purposes. - * - * Munging a file name prevents unknown file extensions from masking exploit - * files. When web servers such as Apache decide how to process a URL request, - * they use the file extension. If the extension is not recognized, Apache - * skips that extension and uses the previous file extension. For example, if - * the file being requested is exploit.php.pps, and Apache does not recognize - * the '.pps' extension, it treats the file as PHP and executes it. To make - * this file name safe for Apache and prevent it from executing as PHP, the - * .php extension is "munged" into .php_, making the safe file name - * exploit.php_.pps. - * - * Specifically, this function adds an underscore to all extensions that are - * between 2 and 5 characters in length, internal to the file name, and either - * included in the list of unsafe extensions, or not included in $extensions. - * - * Function behavior is also controlled by the configuration - * 'system.file:allow_insecure_uploads'. If it evaluates to TRUE, no alterations - * will be made, if it evaluates to FALSE, the filename is 'munged'. * - * @param $filename - * File name to modify. - * @param $extensions - * A space-separated list of extensions that should not be altered. Note that - * extensions that are unsafe will be altered regardless of this parameter. - * @param $alerts - * If TRUE, \Drupal::messenger()->addStatus() will be called to display - * a message if the file name was changed. - * - * @return string - * The potentially modified $filename. - * - * @deprecated in drupal:9.2.0 and is removed from drupal:10.0.0. Dispatch a - * \Drupal\Core\File\Event\FileUploadSanitizeNameEvent event instead. - * - * @see https://www.drupal.org/node/3032541 - */ -function file_munge_filename($filename, $extensions, $alerts = TRUE) { - @trigger_error('file_munge_filename() is deprecated in drupal:9.2.0 and is removed from drupal:10.0.0. Dispatch a \Drupal\Core\File\Event\FileUploadSanitizeNameEvent event instead. See https://www.drupal.org/node/3032541', E_USER_DEPRECATED); - $original = $filename; - - // Allow potentially insecure uploads for very savvy users and admin - if (!\Drupal::config('system.file')->get('allow_insecure_uploads')) { - // Remove any null bytes. See - // http://php.net/manual/security.filesystem.nullbytes.php - $filename = str_replace(chr(0), '', $filename); - - $allowed_extensions = array_unique(explode(' ', strtolower(trim($extensions)))); - - // Remove unsafe extensions from the allowed list of extensions. - $allowed_extensions = array_diff($allowed_extensions, FileSystemInterface::INSECURE_EXTENSIONS); - - // Split the filename up by periods. The first part becomes the basename - // the last part the final extension. - $filename_parts = explode('.', $filename); - // Remove file basename. - $new_filename = array_shift($filename_parts); - // Remove final extension. - $final_extension = array_pop($filename_parts); - - // Loop through the middle parts of the name and add an underscore to the - // end of each section that could be a file extension but isn't in the list - // of allowed extensions. - foreach ($filename_parts as $filename_part) { - $new_filename .= '.' . $filename_part; - if (!in_array(strtolower($filename_part), $allowed_extensions) && preg_match("/^[a-zA-Z]{2,5}\d?$/", $filename_part)) { - $new_filename .= '_'; - } - } - $filename = $new_filename . '.' . $final_extension; - - if ($alerts && $original != $filename) { - \Drupal::messenger()->addStatus(t('For security reasons, your upload has been renamed to %filename.', ['%filename' => $filename])); - } - } - - return $filename; -} - -/** - * Undoes the effect of file_munge_filename(). - * - * @param $filename - * String with the filename to be unmunged. - * - * @return - * An unmunged filename string. - * - * @deprecated in drupal:9.2.0 and is removed from drupal:10.0.0. Use - * str_replace() instead. - * - * @see https://www.drupal.org/node/3032541 - */ -function file_unmunge_filename($filename) { - @trigger_error('file_unmunge_filename() is deprecated in drupal:9.2.0 and is removed from drupal:10.0.0. Use str_replace() instead. See https://www.drupal.org/node/3032541', E_USER_DEPRECATED); - return str_replace('_.', '.', $filename); -} - -/** - * @} End of "defgroup file". - */ diff --git a/core/includes/install.core.inc b/core/includes/install.core.inc index 31b5b5a6810..2da1e35f1fa 100644 --- a/core/includes/install.core.inc +++ b/core/includes/install.core.inc @@ -338,7 +338,6 @@ function install_begin_request($class_loader, &$install_state) { // since the error/exception handlers depend on them. require_once __DIR__ . '/../modules/system/system.install'; require_once __DIR__ . '/common.inc'; - require_once __DIR__ . '/file.inc'; require_once __DIR__ . '/install.inc'; require_once __DIR__ . '/schema.inc'; require_once __DIR__ . '/form.inc'; diff --git a/core/includes/theme.maintenance.inc b/core/includes/theme.maintenance.inc index 873738f883a..aa2a248750a 100644 --- a/core/includes/theme.maintenance.inc +++ b/core/includes/theme.maintenance.inc @@ -25,7 +25,6 @@ function _drupal_maintenance_theme() { require_once __DIR__ . '/theme.inc'; require_once __DIR__ . '/common.inc'; - require_once __DIR__ . '/file.inc'; require_once __DIR__ . '/module.inc'; // Install and update pages are treated differently to prevent theming overrides. diff --git a/core/lib/Drupal/Core/DrupalKernel.php b/core/lib/Drupal/Core/DrupalKernel.php index f57a83a9604..e23d81b1563 100644 --- a/core/lib/Drupal/Core/DrupalKernel.php +++ b/core/lib/Drupal/Core/DrupalKernel.php @@ -538,7 +538,6 @@ class DrupalKernel implements DrupalKernelInterface, TerminableInterface { require_once $this->root . '/core/includes/module.inc'; require_once $this->root . '/core/includes/theme.inc'; require_once $this->root . '/core/includes/menu.inc'; - require_once $this->root . '/core/includes/file.inc'; require_once $this->root . '/core/includes/form.inc'; require_once $this->root . '/core/includes/errors.inc'; require_once $this->root . '/core/includes/schema.inc'; diff --git a/core/lib/Drupal/Core/Form/FormBuilder.php b/core/lib/Drupal/Core/Form/FormBuilder.php index 6388b857c76..c38ff014e43 100644 --- a/core/lib/Drupal/Core/Form/FormBuilder.php +++ b/core/lib/Drupal/Core/Form/FormBuilder.php @@ -1171,7 +1171,7 @@ class FormBuilder implements FormBuilderInterface, FormValidatorInterface, FormS $name = array_shift($element['#parents']); $element['#name'] = $name; if ($element['#type'] == 'file') { - // To make it easier to handle files in file.inc, we place all + // To make it easier to handle files, we place all // file fields in the 'files' array. Also, we do not support // nested file names. // @todo Remove this files prefix now? diff --git a/core/lib/Drupal/Core/Render/Element/File.php b/core/lib/Drupal/Core/Render/Element/File.php index 5fe7b8f7f61..c909b926dea 100644 --- a/core/lib/Drupal/Core/Render/Element/File.php +++ b/core/lib/Drupal/Core/Render/Element/File.php @@ -54,7 +54,7 @@ class File extends FormElement { * Prepares a #type 'file' render element for input.html.twig. * * For assistance with handling the uploaded file correctly, see the API - * provided by file.inc. + * provided by file.api.php. * * @param array $element * An associative array containing the properties of the element. diff --git a/core/lib/Drupal/Core/Test/TestRunnerKernel.php b/core/lib/Drupal/Core/Test/TestRunnerKernel.php index 2315693eacf..d5ec4573f19 100644 --- a/core/lib/Drupal/Core/Test/TestRunnerKernel.php +++ b/core/lib/Drupal/Core/Test/TestRunnerKernel.php @@ -86,7 +86,6 @@ class TestRunnerKernel extends DrupalKernel { $this->getContainer()->get('stream_wrapper_manager')->register(); // Create the build/artifacts directory if necessary. - include_once $this->getAppRoot() . '/core/includes/file.inc'; if (!is_dir('public://simpletest') && !@mkdir('public://simpletest', 0777, TRUE) && !is_dir('public://simpletest')) { throw new \RuntimeException('Unable to create directory: public://simpletest'); } diff --git a/core/modules/file/file.api.php b/core/modules/file/file.api.php index bc60c04565d..8c2cb93b7ba 100644 --- a/core/modules/file/file.api.php +++ b/core/modules/file/file.api.php @@ -6,8 +6,10 @@ */ /** - * @addtogroup file + * @defgroup file File interface * @{ + * Common file handling functions. + * * @section file_security Uploading files and security considerations * * Using \Drupal\file\Element\ManagedFile field with a defined list of allowed diff --git a/core/tests/Drupal/KernelTests/Core/File/FileSystemDeprecationTest.php b/core/tests/Drupal/KernelTests/Core/File/FileSystemDeprecationTest.php deleted file mode 100644 index 6d3eb63c841..00000000000 --- a/core/tests/Drupal/KernelTests/Core/File/FileSystemDeprecationTest.php +++ /dev/null @@ -1,34 +0,0 @@ -expectDeprecation('file_create_url() is deprecated in drupal:9.3.0 and is removed from drupal:10.0.0. Use the appropriate method on \Drupal\Core\File\FileUrlGeneratorInterface instead. See https://www.drupal.org/node/2940031'); - $this->expectDeprecation('file_url_transform_relative() is deprecated in drupal:9.3.0 and is removed from drupal:10.0.0. Use \Drupal\Core\File\FileUrlGenerator::transformRelative() instead. See https://www.drupal.org/node/2940031'); - $filepath = 'core/assets/vendor/jquery/jquery.min.js'; - $url = file_url_transform_relative(file_create_url($filepath)); - $this->assertNotEmpty($url); - } - - /** - * Tests deprecated file_build_uri() - */ - public function testDeprecatedFileBuildUri() { - $this->expectDeprecation('file_build_uri() is deprecated in drupal:9.3.0 and is removed from drupal:10.0.0 without replacement. See https://www.drupal.org/node/3223091'); - $this->assertEquals('public://foo/bar.txt', file_build_uri('foo/bar.txt')); - } - -} diff --git a/core/tests/Drupal/KernelTests/Core/File/FileTestBase.php b/core/tests/Drupal/KernelTests/Core/File/FileTestBase.php index 9deac668af2..9e8998461f1 100644 --- a/core/tests/Drupal/KernelTests/Core/File/FileTestBase.php +++ b/core/tests/Drupal/KernelTests/Core/File/FileTestBase.php @@ -67,8 +67,6 @@ abstract class FileTestBase extends KernelTestBase { $public_file_directory = $this->siteDirectory . '/files'; $private_file_directory = $this->siteDirectory . '/private'; - require_once 'core/includes/file.inc'; - mkdir($this->siteDirectory, 0775); mkdir($this->siteDirectory . '/files', 0775); mkdir($this->siteDirectory . '/private', 0775); diff --git a/core/tests/Drupal/KernelTests/Core/File/NameMungingTest.php b/core/tests/Drupal/KernelTests/Core/File/NameMungingTest.php deleted file mode 100644 index ac4a726dd74..00000000000 --- a/core/tests/Drupal/KernelTests/Core/File/NameMungingTest.php +++ /dev/null @@ -1,128 +0,0 @@ - (name).foo_.txt when allows_insecure_uploads === 0 - * - testMungeBullByte() - * - (name).foo\0.txt -> (name).foo_.txt regardless of allows_insecure_uploads - * - testMungeIgnoreInsecure() - * - (name).foo.txt unmodified when allows_insecure_uploads === 1 - * - testMungeIgnoreAllowedExtensions() - * - (name).FOO.txt -> (name).FOO when allowing 'foo'. - * - (name).foo.txt -> (name).foo.txt when allowing 'FOO'. - * - testMungeUnsafe() - * - (name).php.txt -> (name).php_.txt even when allowing 'php txt' - * - (name).php.txt -> (name).php_.txt even when allowing 'php txt' - * - testUnMunge() - * - (name).foo.txt -> (unchecked) -> (name).foo.txt after un-munging - * - * @group File - * @group legacy - */ -class NameMungingTest extends FileTestBase { - - /** - * An extension to be used as forbidden during munge operations. - * - * @var string - */ - protected $badExtension; - - /** - * The name of a file with a bad extension, after munging. - * - * @var string - */ - protected $name; - - /** - * The name of a file with an upper-cased bad extension, after munging. - * - * @var string - */ - protected $nameWithUcExt; - - protected function setUp(): void { - parent::setUp(); - $this->badExtension = 'foo'; - $this->name = $this->randomMachineName() . '.' . $this->badExtension . '.txt'; - $this->nameWithUcExt = $this->randomMachineName() . '.' . strtoupper($this->badExtension) . '.txt'; - } - - /** - * Create a file and munge/unmunge the name. - */ - public function testMunging() { - $this->expectDeprecation('file_munge_filename() is deprecated in drupal:9.2.0 and is removed from drupal:10.0.0. Dispatch a \Drupal\Core\File\Event\FileUploadSanitizeNameEvent event instead. See https://www.drupal.org/node/3032541'); - // Disable insecure uploads. - $this->config('system.file')->set('allow_insecure_uploads', 0)->save(); - $munged_name = file_munge_filename($this->name, '', TRUE); - $messages = \Drupal::messenger()->all(); - \Drupal::messenger()->deleteAll(); - $this->assertContainsEquals(strtr('For security reasons, your upload has been renamed to %filename.', ['%filename' => $munged_name]), $messages['status'], 'Alert properly set when a file is renamed.'); - $this->assertNotEquals($this->name, $munged_name, new FormattableMarkup('The new filename (%munged) has been modified from the original (%original)', ['%munged' => $munged_name, '%original' => $this->name])); - } - - /** - * Tests munging with a null byte in the filename. - */ - public function testMungeNullByte() { - $prefix = $this->randomMachineName(); - $filename = $prefix . '.' . $this->badExtension . "\0.txt"; - $this->assertEquals($prefix . '.' . $this->badExtension . '_.txt', file_munge_filename($filename, ''), 'A filename with a null byte is correctly munged to remove the null byte.'); - } - - /** - * If the system.file.allow_insecure_uploads setting evaluates to true, the file should - * come out untouched, no matter how evil the filename. - */ - public function testMungeIgnoreInsecure() { - $this->config('system.file')->set('allow_insecure_uploads', 1)->save(); - $munged_name = file_munge_filename($this->name, ''); - $this->assertSame($munged_name, $this->name, new FormattableMarkup('The original filename (%original) matches the munged filename (%munged) when insecure uploads are enabled.', ['%munged' => $munged_name, '%original' => $this->name])); - } - - /** - * Tests that allowed extensions are ignored by file_munge_filename(). - */ - public function testMungeIgnoreAllowedExtensions() { - // Declare that our extension is allowed. The declared extensions should be - // case insensitive, so test using one with a different case. - $munged_name = file_munge_filename($this->nameWithUcExt, $this->badExtension); - $this->assertSame($munged_name, $this->nameWithUcExt); - // The allowed extensions should also be normalized. - $munged_name = file_munge_filename($this->name, strtoupper($this->badExtension)); - $this->assertSame($munged_name, $this->name); - } - - /** - * Tests unsafe extensions are always munged by file_munge_filename(). - */ - public function testMungeUnsafe() { - $prefix = $this->randomMachineName(); - $name = "$prefix.php.txt"; - // Put the php extension in the allowed list, but since it is in the unsafe - // extension list, it should still be munged. - $munged_name = file_munge_filename($name, 'php txt'); - $this->assertSame("$prefix.php_.txt", $munged_name); - } - - /** - * Ensure that unmunge gets your name back. - */ - public function testUnMunge() { - $this->expectDeprecation('file_unmunge_filename() is deprecated in drupal:9.2.0 and is removed from drupal:10.0.0. Use str_replace() instead. See https://www.drupal.org/node/3032541'); - $munged_name = file_munge_filename($this->name, '', FALSE); - $unmunged_name = file_unmunge_filename($munged_name); - $this->assertSame($unmunged_name, $this->name, new FormattableMarkup('The unmunged (%unmunged) filename matches the original (%original)', ['%unmunged' => $unmunged_name, '%original' => $this->name])); - } - -}