You are here

protected function FileUploadResource::prepareFilename in Drupal 8

Same name and namespace in other branches
  1. 9 core/modules/file/src/Plugin/rest/resource/FileUploadResource.php \Drupal\file\Plugin\rest\resource\FileUploadResource::prepareFilename()
  2. 10 core/modules/file/src/Plugin/rest/resource/FileUploadResource.php \Drupal\file\Plugin\rest\resource\FileUploadResource::prepareFilename()

Prepares the filename to strip out any malicious extensions.

Parameters

string $filename: The file name.

array $validators: The array of upload validators.

Return value

string The prepared/munged filename.

1 call to FileUploadResource::prepareFilename()
FileUploadResource::post in core/modules/file/src/Plugin/rest/resource/FileUploadResource.php
Creates a file from an endpoint.

File

core/modules/file/src/Plugin/rest/resource/FileUploadResource.php, line 464

Class

FileUploadResource
File upload resource.

Namespace

Drupal\file\Plugin\rest\resource

Code

protected function prepareFilename($filename, array &$validators) {

  // Don't rename if 'allow_insecure_uploads' evaluates to TRUE.
  if (!$this->systemFileConfig
    ->get('allow_insecure_uploads')) {
    if (!empty($validators['file_validate_extensions'][0])) {

      // If there is a file_validate_extensions validator and a list of
      // valid extensions, munge the filename to protect against possible
      // malicious extension hiding within an unknown file type. For example,
      // "filename.html.foo".
      $filename = file_munge_filename($filename, $validators['file_validate_extensions'][0]);
    }

    // Rename potentially executable files, to help prevent exploits (i.e.
    // will rename filename.php.foo and filename.php to filename._php._foo.txt
    // and filename._php.txt, respectively).
    if (preg_match(FILE_INSECURE_EXTENSION_REGEX, $filename)) {

      // If the file will be rejected anyway due to a disallowed extension, it
      // should not be renamed; rather, we'll let file_validate_extensions()
      // reject it below.
      $passes_validation = FALSE;
      if (!empty($validators['file_validate_extensions'][0])) {
        $file = File::create([]);
        $file
          ->setFilename($filename);
        $passes_validation = empty(file_validate_extensions($file, $validators['file_validate_extensions'][0]));
      }
      if (empty($validators['file_validate_extensions'][0]) || $passes_validation) {
        if (substr($filename, -4) != '.txt') {

          // The destination filename will also later be used to create the URI.
          $filename .= '.txt';
        }
        $filename = file_munge_filename($filename, $validators['file_validate_extensions'][0] ?? '');

        // The .txt extension may not be in the allowed list of extensions. We
        // have to add it here or else the file upload will fail.
        if (!empty($validators['file_validate_extensions'][0])) {
          $validators['file_validate_extensions'][0] .= ' txt';
        }
      }
    }
  }
  return $filename;
}