protected function TemporaryJsonapiFileFieldUploader::prepareFilename in Drupal 8
Same name and namespace in other branches
- 9 core/modules/jsonapi/src/Controller/TemporaryJsonapiFileFieldUploader.php \Drupal\jsonapi\Controller\TemporaryJsonapiFileFieldUploader::prepareFilename()
Prepares the filename to strip out any malicious extensions.
Parameters
string $filename: The file name.
array $validators: The array of upload validators.
Return value
string The prepared/munged filename.
1 call to TemporaryJsonapiFileFieldUploader::prepareFilename()
- TemporaryJsonapiFileFieldUploader::handleFileUploadForField in core/
modules/ jsonapi/ src/ Controller/ TemporaryJsonapiFileFieldUploader.php - Creates and validates a file entity for a file field from a file stream.
File
- core/
modules/ jsonapi/ src/ Controller/ TemporaryJsonapiFileFieldUploader.php, line 382
Class
- TemporaryJsonapiFileFieldUploader
- Reads data from an upload stream and creates a corresponding file entity.
Namespace
Drupal\jsonapi\ControllerCode
protected function prepareFilename($filename, array &$validators) {
// Don't rename if 'allow_insecure_uploads' evaluates to TRUE.
if (!$this->systemFileConfig
->get('allow_insecure_uploads')) {
if (!empty($validators['file_validate_extensions'][0])) {
// If there is a file_validate_extensions validator and a list of
// valid extensions, munge the filename to protect against possible
// malicious extension hiding within an unknown file type. For example,
// "filename.html.foo".
$filename = file_munge_filename($filename, $validators['file_validate_extensions'][0]);
}
// Rename potentially executable files, to help prevent exploits (i.e.
// will rename filename.php.foo and filename.php to filename._php._foo.txt
// and filename._php.txt, respectively).
if (preg_match(FILE_INSECURE_EXTENSION_REGEX, $filename)) {
// If the file will be rejected anyway due to a disallowed extension, it
// should not be renamed; rather, we'll let file_validate_extensions()
// reject it below.
$passes_validation = FALSE;
if (!empty($validators['file_validate_extensions'][0])) {
$file = File::create([]);
$file
->setFilename($filename);
$passes_validation = empty(file_validate_extensions($file, $validators['file_validate_extensions'][0]));
}
if (empty($validators['file_validate_extensions'][0]) || $passes_validation) {
if (substr($filename, -4) != '.txt') {
// The destination filename will also later be used to create the URI.
$filename .= '.txt';
}
$filename = file_munge_filename($filename, $validators['file_validate_extensions'][0] ?? '');
// The .txt extension may not be in the allowed list of extensions. We
// have to add it here or else the file upload will fail.
if (!empty($validators['file_validate_extensions'][0])) {
$validators['file_validate_extensions'][0] .= ' txt';
}
}
}
}
return $filename;
}