protected function FileUploadResource::prepareFilename in Drupal 8
Same name and namespace in other branches
- 9 core/modules/file/src/Plugin/rest/resource/FileUploadResource.php \Drupal\file\Plugin\rest\resource\FileUploadResource::prepareFilename()
- 10 core/modules/file/src/Plugin/rest/resource/FileUploadResource.php \Drupal\file\Plugin\rest\resource\FileUploadResource::prepareFilename()
Prepares the filename to strip out any malicious extensions.
Parameters
string $filename: The file name.
array $validators: The array of upload validators.
Return value
string The prepared/munged filename.
1 call to FileUploadResource::prepareFilename()
- FileUploadResource::post in core/
modules/ file/ src/ Plugin/ rest/ resource/ FileUploadResource.php - Creates a file from an endpoint.
File
- core/
modules/ file/ src/ Plugin/ rest/ resource/ FileUploadResource.php, line 464
Class
- FileUploadResource
- File upload resource.
Namespace
Drupal\file\Plugin\rest\resourceCode
protected function prepareFilename($filename, array &$validators) {
// Don't rename if 'allow_insecure_uploads' evaluates to TRUE.
if (!$this->systemFileConfig
->get('allow_insecure_uploads')) {
if (!empty($validators['file_validate_extensions'][0])) {
// If there is a file_validate_extensions validator and a list of
// valid extensions, munge the filename to protect against possible
// malicious extension hiding within an unknown file type. For example,
// "filename.html.foo".
$filename = file_munge_filename($filename, $validators['file_validate_extensions'][0]);
}
// Rename potentially executable files, to help prevent exploits (i.e.
// will rename filename.php.foo and filename.php to filename._php._foo.txt
// and filename._php.txt, respectively).
if (preg_match(FILE_INSECURE_EXTENSION_REGEX, $filename)) {
// If the file will be rejected anyway due to a disallowed extension, it
// should not be renamed; rather, we'll let file_validate_extensions()
// reject it below.
$passes_validation = FALSE;
if (!empty($validators['file_validate_extensions'][0])) {
$file = File::create([]);
$file
->setFilename($filename);
$passes_validation = empty(file_validate_extensions($file, $validators['file_validate_extensions'][0]));
}
if (empty($validators['file_validate_extensions'][0]) || $passes_validation) {
if (substr($filename, -4) != '.txt') {
// The destination filename will also later be used to create the URI.
$filename .= '.txt';
}
$filename = file_munge_filename($filename, $validators['file_validate_extensions'][0] ?? '');
// The .txt extension may not be in the allowed list of extensions. We
// have to add it here or else the file upload will fail.
if (!empty($validators['file_validate_extensions'][0])) {
$validators['file_validate_extensions'][0] .= ' txt';
}
}
}
}
return $filename;
}