Drupal
/
drupal
mirror of https://git.drupalcode.org/project/drupal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Issue #2112247 by sihv, mitsuroseba, dgroene, aalamaki, Dennis Walgaard, mErilainen: Fixed Valid file extensions in file names are not properly enforced when uploading files with non-lowercase names.

merge-requests/26/head
David Rothstein 2014-11-03 10:11:56 -05:00
parent 0b4c3b17e2
commit c401ec33e8
2 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
includes/file.inc
View File

@ -1152,7 +1152,7 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) {
// Remove any null bytes. See http://php.net/manual/security.filesystem.nullbytes.php
$filename = str_replace(chr(0), '', $filename);
$whitelist = array_unique(explode(' ', trim($extensions)));
$whitelist = array_unique(explode(' ', strtolower(trim($extensions))));
// Split the filename up by periods. The first part becomes the basename
// the last part the final extension.
@ -1165,7 +1165,7 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) {
// of allowed extensions.
foreach ($filename_parts as $filename_part) {
$new_filename .= '.' . $filename_part;
if (!in_array($filename_part, $whitelist) && preg_match("/^[a-zA-Z]{2,5}\d?$/", $filename_part)) {
if (!in_array(strtolower($filename_part), $whitelist) && preg_match("/^[a-zA-Z]{2,5}\d?$/", $filename_part)) {
$new_filename .= '_';
}
}

11
modules/simpletest/tests/file.test
View File

@ -2556,6 +2556,7 @@ class FileNameMungingTest extends FileTestCase {
parent::setUp();
$this->bad_extension = 'php';
$this->name = $this->randomName() . '.' . $this->bad_extension . '.txt';
$this->name_with_uc_ext = $this->randomName() . '.' . strtoupper($this->bad_extension) . '.txt';
}
/**
@ -2593,9 +2594,13 @@ class FileNameMungingTest extends FileTestCase {
* White listed extensions are ignored by file_munge_filename().
*/
function testMungeIgnoreWhitelisted() {
// Declare our extension as whitelisted.
$munged_name = file_munge_filename($this->name, $this->bad_extension);
$this->assertIdentical($munged_name, $this->name, format_string('The new filename (%munged) matches the original (%original) once the extension has been whitelisted.', array('%munged' => $munged_name, '%original' => $this->name)));
// Declare our extension as whitelisted. The declared extensions should
// be case insensitive so test using one with a different case.
$munged_name = file_munge_filename($this->name_with_uc_ext, $this->bad_extension);
$this->assertIdentical($munged_name, $this->name_with_uc_ext, format_string('The new filename (%munged) matches the original (%original) once the extension has been whitelisted.', array('%munged' => $munged_name, '%original' => $this->name_with_uc_ext)));
// The allowed extensions should also be normalized.
$munged_name = file_munge_filename($this->name, strtoupper($this->bad_extension));
$this->assertIdentical($munged_name, $this->name, format_string('The new filename (%munged) matches the original (%original) also when the whitelisted extension is in uppercase.', array('%munged' => $munged_name, '%original' => $this->name)));
}
/**