function TemporaryJsonapiFileFieldUploader::prepareFilename

Same name in other branches
  1. 9 core/modules/jsonapi/src/Controller/TemporaryJsonapiFileFieldUploader.php \Drupal\jsonapi\Controller\TemporaryJsonapiFileFieldUploader::prepareFilename()
  2. 10 core/modules/jsonapi/src/Controller/TemporaryJsonapiFileFieldUploader.php \Drupal\jsonapi\Controller\TemporaryJsonapiFileFieldUploader::prepareFilename()
  3. 11.x core/modules/jsonapi/src/Controller/TemporaryJsonapiFileFieldUploader.php \Drupal\jsonapi\Controller\TemporaryJsonapiFileFieldUploader::prepareFilename()

Prepares the filename to strip out any malicious extensions.

Parameters

string $filename: The file name.

array $validators: The array of upload validators.

Return value

string The prepared/munged filename.

1 call to TemporaryJsonapiFileFieldUploader::prepareFilename()
TemporaryJsonapiFileFieldUploader::handleFileUploadForField in core/modules/jsonapi/src/Controller/TemporaryJsonapiFileFieldUploader.php
Creates and validates a file entity for a file field from a file stream.

File

core/modules/jsonapi/src/Controller/TemporaryJsonapiFileFieldUploader.php, line 417

Class

TemporaryJsonapiFileFieldUploader
Reads data from an upload stream and creates a corresponding file entity.

Namespace

Drupal\jsonapi\Controller

Code

protected function prepareFilename($filename, array &$validators) {
    //  Don't rename if 'allow_insecure_uploads' evaluates to TRUE.
    if (!$this->systemFileConfig
        ->get('allow_insecure_uploads')) {
        if (!empty($validators['file_validate_extensions'][0])) {
            // If there is a file_validate_extensions validator and a list of
            // valid extensions, munge the filename to protect against possible
            // malicious extension hiding within an unknown file type. For example,
            // "filename.html.foo".
            $filename = file_munge_filename($filename, $validators['file_validate_extensions'][0]);
        }
        // Rename potentially executable files, to help prevent exploits (i.e.
        // will rename filename.php.foo and filename.php to filename._php._foo.txt
        // and filename._php.txt, respectively).
        if (preg_match(FILE_INSECURE_EXTENSION_REGEX, $filename)) {
            // If the file will be rejected anyway due to a disallowed extension, it
            // should not be renamed; rather, we'll let file_validate_extensions()
            // reject it below.
            $passes_validation = FALSE;
            if (!empty($validators['file_validate_extensions'][0])) {
                $file = File::create([]);
                $file->setFilename($filename);
                $passes_validation = empty(file_validate_extensions($file, $validators['file_validate_extensions'][0]));
            }
            if (empty($validators['file_validate_extensions'][0]) || $passes_validation) {
                if (substr($filename, -4) != '.txt') {
                    // The destination filename will also later be used to create the URI.
                    $filename .= '.txt';
                }
                $filename = file_munge_filename($filename, $validators['file_validate_extensions'][0] ?? '');
                // The .txt extension may not be in the allowed list of extensions. We
                // have to add it here or else the file upload will fail.
                if (!empty($validators['file_validate_extensions'][0])) {
                    $validators['file_validate_extensions'][0] .= ' txt';
                }
            }
        }
    }
    return $filename;
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.