SA-CORE-2019-010 by larowlan, greggles, mlhess, kim.pepper, alexpott, dww, xjm, David_Rothstein

(cherry picked from commit 63efacbb63)

core/modules/file/file.module

@@ -992,7 +992,7 @@ function _file_save_upload_single(\SplFileInfo $file_info, $form_field_name, $va
   $values = [
     'uid' => $user->id(),
     'status' => 0,
-    'filename' => $file_info->getClientOriginalName(),
+    'filename' => trim($file_info->getClientOriginalName(), '.'),
     'uri' => $file_info->getRealPath(),
     'filesize' => $file_info->getSize(),
   ];

core/modules/file/tests/src/Functional/FileManagedFileElementTest.php

@@ -2,6 +2,8 @@
 
 namespace Drupal\Tests\file\Functional;
 
+use Drupal\file\Entity\File;
+
 /**
  * Tests the 'managed_file' element type.
  *
@@ -156,6 +158,21 @@ class FileManagedFileElementTest extends FileFieldTestBase {
     $this->assertRaw('The file referenced by the Managed <em>file &amp; butter</em> field does not exist.');
   }
 
+  /**
+   * Tests file names have leading . removed.
+   */
+  public function testFileNameTrim() {
+    file_put_contents('public://.leading-period.txt', $this->randomString(32));
+    $last_fid_prior = $this->getLastFileId();
+    $this->drupalPostForm('file/test/0/0/0', [
+      'files[file]' => \Drupal::service('file_system')->realpath('public://.leading-period.txt'),
+    ], t('Save'));
+    $next_fid = $this->getLastFileId();
+    $this->assertGreaterThan($last_fid_prior, $next_fid);
+    $file = File::load($next_fid);
+    $this->assertEquals('leading-period.txt', $file->getFilename());
+  }
+
   /**
    * Ensure a file entity can be saved when the file does not exist on disk.
    */