@@ -1151,8 +1151,8 @@ function file_unmanaged_move($source, $destination = NULL, $replace = FILE_EXIST
11511151 * exploit.php_.pps.
11521152 *
11531153 * Specifically, this function adds an underscore to all extensions that are
1154- * between 2 and 5 characters in length, internal to the file name, and not
1155- * included in $extensions.
1154+ * between 2 and 5 characters in length, internal to the file name, and either
1155+ * included in the list of unsafe extensions, or not included in $extensions.
11561156 *
11571157 * Function behavior is also controlled by the Drupal variable
11581158 * 'allow_insecure_uploads'. If 'allow_insecure_uploads' evaluates to TRUE, no
@@ -1161,7 +1161,8 @@ function file_unmanaged_move($source, $destination = NULL, $replace = FILE_EXIST
11611161 * @param $filename
11621162 * File name to modify.
11631163 * @param $extensions
1164- * A space-separated list of extensions that should not be altered.
1164+ * A space-separated list of extensions that should not be altered. Note that
1165+ * extensions that are unsafe will be altered regardless of this parameter.
11651166 * @param $alerts
11661167 * If TRUE, drupal_set_message() will be called to display a message if the
11671168 * file name was changed.
@@ -1179,6 +1180,10 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) {
11791180
11801181 $ whitelistarray_unique (explode (' ' , strtolower (trim ($ extensions
11811182
1183+ // Remove unsafe extensions from the list of allowed extensions. The list is
1184+ // copied from file_save_upload().
1185+ $ whitelistarray_diff ($ whitelistexplode ('| ' , 'php|phar|pl|py|cgi|asp|js ' ));
1186+
11821187 // Split the filename up by periods. The first part becomes the basename
11831188 // the last part the final extension.
11841189 $ filename_partsexplode ('. ' , $ filename
@@ -1546,25 +1551,35 @@ function file_save_upload($form_field_name, $validators = array(), $destination
15461551 $ validators'file_validate_extensions ' ][0 ] = $ extensions
15471552 }
15481553
1549- if (!empty ($ extensions
1550- // Munge the filename to protect against possible malicious extension hiding
1551- // within an unknown file type (ie: filename.html.foo).
1552- $ filefilename = file_munge_filename ($ filefilename , $ extensions
1553- }
1554-
1555- // Rename potentially executable files, to help prevent exploits (i.e. will
1556- // rename filename.php.foo and filename.php to filename.php.foo.txt and
1557- // filename.php.txt, respectively). Don't rename if 'allow_insecure_uploads'
1558- // evaluates to TRUE.
1559- if (!variable_get ('allow_insecure_uploads ' , 0 ) && preg_match ('/\.(php|phar|pl|py|cgi|asp|js)(\.|$)/i ' , $ filefilename ) && (substr ($ filefilename , -4 ) != '.txt ' )) {
1560- $ filefilemime = 'text/plain ' ;
1561- // The destination filename will also later be used to create the URI.
1562- $ filefilename .= '.txt ' ;
1563- // The .txt extension may not be in the allowed list of extensions. We have
1564- // to add it here or else the file upload will fail.
1554+ if (!variable_get ('allow_insecure_uploads ' , 0 )) {
15651555 if (!empty ($ extensions
1566- $ validators'file_validate_extensions ' ][0 ] .= ' txt ' ;
1567- drupal_set_message (t ('For security reasons, your upload has been renamed to %filename. ' , array ('%filename ' => $ filefilename )));
1556+ // Munge the filename to protect against possible malicious extension hiding
1557+ // within an unknown file type (ie: filename.html.foo).
1558+ $ filefilename = file_munge_filename ($ filefilename , $ extensions
1559+ }
1560+
1561+ // Rename potentially executable files, to help prevent exploits (i.e. will
1562+ // rename filename.php.foo and filename.php to filename.php_.foo_.txt and
1563+ // filename.php_.txt, respectively). Don't rename if 'allow_insecure_uploads'
1564+ // evaluates to TRUE.
1565+ if (preg_match ('/\.(php|phar|pl|py|cgi|asp|js)(\.|$)/i ' , $ filefilename )) {
1566+ // If the file will be rejected anyway due to a disallowed extension, it
1567+ // should not be renamed; rather, we'll let file_validate_extensions()
1568+ // reject it below.
1569+ if (!isset ($ validators'file_validate_extensions ' ]) || !file_validate_extensions ($ file$ extensions
1570+ $ filefilemime = 'text/plain ' ;
1571+ if (substr ($ filefilename , -4 ) != '.txt ' ) {
1572+ // The destination filename will also later be used to create the URI.
1573+ $ filefilename .= '.txt ' ;
1574+ }
1575+ $ filefilename = file_munge_filename ($ filefilename , $ extensionsFALSE );
1576+ drupal_set_message (t ('For security reasons, your upload has been renamed to %filename. ' , array ('%filename ' => $ filefilename )));
1577+ // The .txt extension may not be in the allowed list of extensions. We have
1578+ // to add it here or else the file upload will fail.
1579+ if (!empty ($ validators'file_validate_extensions ' ][0 ])) {
1580+ $ validators'file_validate_extensions ' ][0 ] .= ' txt ' ;
1581+ }
1582+ }
15681583 }
15691584 }
15701585
@@ -1732,7 +1747,18 @@ function file_validate(stdClass &$file, $validators = array()) {
17321747 }
17331748
17341749 // Let other modules perform validation on the new file.
1735- return array_merge ($ errorsmodule_invoke_all ('file_validate ' , $ file
1750+ $ errorsarray_merge ($ errorsmodule_invoke_all ('file_validate ' , $ file
1751+
1752+ // Ensure the file does not contain a malicious extension. At this point
1753+ // file_save_upload() will have munged the file so it does not contain a
1754+ // malicious extension. Contributed and custom code that calls this method
1755+ // needs to take similar steps if they need to permit files with malicious
1756+ // extensions to be uploaded.
1757+ if (empty ($ errorsvariable_get ('allow_insecure_uploads ' , 0 ) && preg_match ('/\.(php|phar|pl|py|cgi|asp|js)(\.|$)/i ' , $ filefilename )) {
1758+ $ errorst ('For security reasons, your upload has been rejected. ' );
1759+ }
1760+
1761+ return $ errors
17361762}
17371763
17381764/**
0 commit comments