Révision cee0424c
Ajouté par Assos Assos il y a plus de 3 ans
drupal7/includes/file.inc | ||
---|---|---|
1147 | 1147 |
* exploit.php_.pps. |
1148 | 1148 |
* |
1149 | 1149 |
* Specifically, this function adds an underscore to all extensions that are |
1150 |
* between 2 and 5 characters in length, internal to the file name, and not
|
|
1151 |
* included in $extensions. |
|
1150 |
* between 2 and 5 characters in length, internal to the file name, and either
|
|
1151 |
* included in the list of unsafe extensions, or not included in $extensions.
|
|
1152 | 1152 |
* |
1153 | 1153 |
* Function behavior is also controlled by the Drupal variable |
1154 | 1154 |
* 'allow_insecure_uploads'. If 'allow_insecure_uploads' evaluates to TRUE, no |
... | ... | |
1157 | 1157 |
* @param $filename |
1158 | 1158 |
* File name to modify. |
1159 | 1159 |
* @param $extensions |
1160 |
* A space-separated list of extensions that should not be altered. |
|
1160 |
* A space-separated list of extensions that should not be altered. Note that |
|
1161 |
* extensions that are unsafe will be altered regardless of this parameter. |
|
1161 | 1162 |
* @param $alerts |
1162 | 1163 |
* If TRUE, drupal_set_message() will be called to display a message if the |
1163 | 1164 |
* file name was changed. |
... | ... | |
1175 | 1176 |
|
1176 | 1177 |
$whitelist = array_unique(explode(' ', strtolower(trim($extensions)))); |
1177 | 1178 |
|
1179 |
// Remove unsafe extensions from the list of allowed extensions. The list is |
|
1180 |
// copied from file_save_upload(). |
|
1181 |
$whitelist = array_diff($whitelist, explode('|', 'php|phar|pl|py|cgi|asp|js')); |
|
1182 |
|
|
1178 | 1183 |
// Split the filename up by periods. The first part becomes the basename |
1179 | 1184 |
// the last part the final extension. |
1180 | 1185 |
$filename_parts = explode('.', $filename); |
... | ... | |
1542 | 1547 |
$validators['file_validate_extensions'][0] = $extensions; |
1543 | 1548 |
} |
1544 | 1549 |
|
1545 |
if (!empty($extensions)) { |
|
1546 |
// Munge the filename to protect against possible malicious extension hiding |
|
1547 |
// within an unknown file type (ie: filename.html.foo). |
|
1548 |
$file->filename = file_munge_filename($file->filename, $extensions); |
|
1549 |
} |
|
1550 |
|
|
1551 |
// Rename potentially executable files, to help prevent exploits (i.e. will |
|
1552 |
// rename filename.php.foo and filename.php to filename.php.foo.txt and |
|
1553 |
// filename.php.txt, respectively). Don't rename if 'allow_insecure_uploads' |
|
1554 |
// evaluates to TRUE. |
|
1555 |
if (!variable_get('allow_insecure_uploads', 0) && preg_match('/\.(php|phar|pl|py|cgi|asp|js)(\.|$)/i', $file->filename) && (substr($file->filename, -4) != '.txt')) { |
|
1556 |
$file->filemime = 'text/plain'; |
|
1557 |
// The destination filename will also later be used to create the URI. |
|
1558 |
$file->filename .= '.txt'; |
|
1559 |
// The .txt extension may not be in the allowed list of extensions. We have |
|
1560 |
// to add it here or else the file upload will fail. |
|
1550 |
if (!variable_get('allow_insecure_uploads', 0)) { |
|
1561 | 1551 |
if (!empty($extensions)) { |
1562 |
$validators['file_validate_extensions'][0] .= ' txt'; |
|
1563 |
drupal_set_message(t('For security reasons, your upload has been renamed to %filename.', array('%filename' => $file->filename))); |
|
1552 |
// Munge the filename to protect against possible malicious extension hiding |
|
1553 |
// within an unknown file type (ie: filename.html.foo). |
|
1554 |
$file->filename = file_munge_filename($file->filename, $extensions); |
|
1555 |
} |
|
1556 |
|
|
1557 |
// Rename potentially executable files, to help prevent exploits (i.e. will |
|
1558 |
// rename filename.php.foo and filename.php to filename.php_.foo_.txt and |
|
1559 |
// filename.php_.txt, respectively). Don't rename if 'allow_insecure_uploads' |
|
1560 |
// evaluates to TRUE. |
|
1561 |
if (preg_match('/\.(php|phar|pl|py|cgi|asp|js)(\.|$)/i', $file->filename)) { |
|
1562 |
// If the file will be rejected anyway due to a disallowed extension, it |
|
1563 |
// should not be renamed; rather, we'll let file_validate_extensions() |
|
1564 |
// reject it below. |
|
1565 |
if (!isset($validators['file_validate_extensions']) || !file_validate_extensions($file, $extensions)) { |
|
1566 |
$file->filemime = 'text/plain'; |
|
1567 |
if (substr($file->filename, -4) != '.txt') { |
|
1568 |
// The destination filename will also later be used to create the URI. |
|
1569 |
$file->filename .= '.txt'; |
|
1570 |
} |
|
1571 |
$file->filename = file_munge_filename($file->filename, $extensions, FALSE); |
|
1572 |
drupal_set_message(t('For security reasons, your upload has been renamed to %filename.', array('%filename' => $file->filename))); |
|
1573 |
// The .txt extension may not be in the allowed list of extensions. We have |
|
1574 |
// to add it here or else the file upload will fail. |
|
1575 |
if (!empty($validators['file_validate_extensions'][0])) { |
|
1576 |
$validators['file_validate_extensions'][0] .= ' txt'; |
|
1577 |
} |
|
1578 |
} |
|
1564 | 1579 |
} |
1565 | 1580 |
} |
1566 | 1581 |
|
... | ... | |
1728 | 1743 |
} |
1729 | 1744 |
|
1730 | 1745 |
// Let other modules perform validation on the new file. |
1731 |
return array_merge($errors, module_invoke_all('file_validate', $file)); |
|
1746 |
$errors = array_merge($errors, module_invoke_all('file_validate', $file)); |
|
1747 |
|
|
1748 |
// Ensure the file does not contain a malicious extension. At this point |
|
1749 |
// file_save_upload() will have munged the file so it does not contain a |
|
1750 |
// malicious extension. Contributed and custom code that calls this method |
|
1751 |
// needs to take similar steps if they need to permit files with malicious |
|
1752 |
// extensions to be uploaded. |
|
1753 |
if (empty($errors) && !variable_get('allow_insecure_uploads', 0) && preg_match('/\.(php|phar|pl|py|cgi|asp|js)(\.|$)/i', $file->filename)) { |
|
1754 |
$errors[] = t('For security reasons, your upload has been rejected.'); |
|
1755 |
} |
|
1756 |
|
|
1757 |
return $errors; |
|
1732 | 1758 |
} |
1733 | 1759 |
|
1734 | 1760 |
/** |
Formats disponibles : Unified diff
-a