Projet

Général

Profil

Révision cee0424c

Ajouté par Assos Assos il y a plus de 3 ans

-a

Voir les différences:

drupal7/includes/file.inc
1147 1147 
 * exploit.php_.pps.
1148 1148 
 *
1149 1149 
 * Specifically, this function adds an underscore to all extensions that are
1150 
 * between 2 and 5 characters in length, internal to the file name, and not
1151 
 * included in $extensions.
1150 
 * between 2 and 5 characters in length, internal to the file name, and either
1151 
 * included in the list of unsafe extensions, or not included in $extensions.
1152 1152 
 *
1153 1153 
 * Function behavior is also controlled by the Drupal variable
1154 1154 
 * 'allow_insecure_uploads'. If 'allow_insecure_uploads' evaluates to TRUE, no
......
1157 1157 
 * @param $filename
1158 1158 
 *   File name to modify.
1159 1159 
 * @param $extensions
1160 
 *   A space-separated list of extensions that should not be altered.
1160 
 *   A space-separated list of extensions that should not be altered. Note that
1161 
 *   extensions that are unsafe will be altered regardless of this parameter.
1161 1162 
 * @param $alerts
1162 1163 
 *   If TRUE, drupal_set_message() will be called to display a message if the
1163 1164 
 *   file name was changed.
......
1175 1176 

  		




  1176
  1177
  
    
    $whitelist = array_unique(explode(' ', strtolower(trim($extensions))));


  		




  1177
  1178
  
    

  		




  
  1179
  
    
    // Remove unsafe extensions from the list of allowed extensions. The list is


  		




  
  1180
  
    
    // copied from file_save_upload().


  		




  
  1181
  
    
    $whitelist = array_diff($whitelist, explode('|', 'php|phar|pl|py|cgi|asp|js'));


  		




  
  1182
  
    

  		




  1178
  1183
  
    
    // Split the filename up by periods. The first part becomes the basename


  		




  1179
  1184
  
    
    // the last part the final extension.


  		




  1180
  1185
  
    
    $filename_parts = explode('.', $filename);


  		




  ......




  1542
  1547
  
    
    $validators['file_validate_extensions'][0] = $extensions;


  		




  1543
  1548
  
    
  }


  		




  1544
  1549
  
    

  		




  1545
  
  
    
  if (!empty($extensions)) {


  		




  1546
  
  
    
    // Munge the filename to protect against possible malicious extension hiding


  		




  1547
  
  
    
    // within an unknown file type (ie: filename.html.foo).


  		




  1548
  
  
    
    $file->filename = file_munge_filename($file->filename, $extensions);


  		




  1549
  
  
    
  }


  		




  1550
  
  
    

  		




  1551
  
  
    
  // Rename potentially executable files, to help prevent exploits (i.e. will


  		




  1552
  
  
    
  // rename filename.php.foo and filename.php to filename.php.foo.txt and


  		




  1553
  
  
    
  // filename.php.txt, respectively). Don't rename if 'allow_insecure_uploads'


  		




  1554
  
  
    
  // evaluates to TRUE.


  		




  1555
  
  
    
  if (!variable_get('allow_insecure_uploads', 0) && preg_match('/\.(php|phar|pl|py|cgi|asp|js)(\.|$)/i', $file->filename) && (substr($file->filename, -4) != '.txt')) {


  		




  1556
  
  
    
    $file->filemime = 'text/plain';


  		




  1557
  
  
    
    // The destination filename will also later be used to create the URI.


  		




  1558
  
  
    
    $file->filename .= '.txt';


  		




  1559
  
  
    
    // The .txt extension may not be in the allowed list of extensions. We have


  		




  1560
  
  
    
    // to add it here or else the file upload will fail.


  		




  
  1550
  
    
  if (!variable_get('allow_insecure_uploads', 0)) {


  		




  1561
  1551
  
    
    if (!empty($extensions)) {


  		




  1562
  
  
    
      $validators['file_validate_extensions'][0] .= ' txt';


  		




  1563
  
  
    
      drupal_set_message(t('For security reasons, your upload has been renamed to %filename.', array('%filename' => $file->filename)));


  		




  
  1552
  
    
      // Munge the filename to protect against possible malicious extension hiding


  		




  
  1553
  
    
      // within an unknown file type (ie: filename.html.foo).


  		




  
  1554
  
    
      $file->filename = file_munge_filename($file->filename, $extensions);


  		




  
  1555
  
    
    }


  		




  
  1556
  
    

  		




  
  1557
  
    
    // Rename potentially executable files, to help prevent exploits (i.e. will


  		




  
  1558
  
    
    // rename filename.php.foo and filename.php to filename.php_.foo_.txt and


  		




  
  1559
  
    
    // filename.php_.txt, respectively). Don't rename if 'allow_insecure_uploads'


  		




  
  1560
  
    
    // evaluates to TRUE.


  		




  
  1561
  
    
    if (preg_match('/\.(php|phar|pl|py|cgi|asp|js)(\.|$)/i', $file->filename)) {


  		




  
  1562
  
    
      // If the file will be rejected anyway due to a disallowed extension, it


  		




  
  1563
  
    
      // should not be renamed; rather, we'll let file_validate_extensions()


  		




  
  1564
  
    
      // reject it below.


  		




  
  1565
  
    
      if (!isset($validators['file_validate_extensions']) || !file_validate_extensions($file, $extensions)) {


  		




  
  1566
  
    
        $file->filemime = 'text/plain';


  		




  
  1567
  
    
        if (substr($file->filename, -4) != '.txt') {


  		




  
  1568
  
    
          // The destination filename will also later be used to create the URI.


  		




  
  1569
  
    
          $file->filename .= '.txt';


  		




  
  1570
  
    
        }


  		




  
  1571
  
    
        $file->filename = file_munge_filename($file->filename, $extensions, FALSE);


  		




  
  1572
  
    
        drupal_set_message(t('For security reasons, your upload has been renamed to %filename.', array('%filename' => $file->filename)));


  		




  
  1573
  
    
        // The .txt extension may not be in the allowed list of extensions. We have


  		




  
  1574
  
    
        // to add it here or else the file upload will fail.


  		




  
  1575
  
    
        if (!empty($validators['file_validate_extensions'][0])) {


  		




  
  1576
  
    
          $validators['file_validate_extensions'][0] .= ' txt';


  		




  
  1577
  
    
        }


  		




  
  1578
  
    
      }


  		




  1564
  1579
  
    
    }


  		




  1565
  1580
  
    
  }


  		




  1566
  1581
  
    

  		




  ......




  1728
  1743
  
    
  }


  		




  1729
  1744
  
    

  		




  1730
  1745
  
    
  // Let other modules perform validation on the new file.


  		




  1731
  
  
    
  return array_merge($errors, module_invoke_all('file_validate', $file));


  		




  
  1746
  
    
  $errors = array_merge($errors, module_invoke_all('file_validate', $file));


  		




  
  1747
  
    

  		




  
  1748
  
    
  // Ensure the file does not contain a malicious extension. At this point


  		




  
  1749
  
    
  // file_save_upload() will have munged the file so it does not contain a


  		




  
  1750
  
    
  // malicious extension. Contributed and custom code that calls this method


  		




  
  1751
  
    
  // needs to take similar steps if they need to permit files with malicious


  		




  
  1752
  
    
  // extensions to be uploaded.


  		




  
  1753
  
    
  if (empty($errors) && !variable_get('allow_insecure_uploads', 0) && preg_match('/\.(php|phar|pl|py|cgi|asp|js)(\.|$)/i', $file->filename)) {


  		




  
  1754
  
    
    $errors[] = t('For security reasons, your upload has been rejected.');


  		




  
  1755
  
    
  }


  		




  
  1756
  
    

  		




  
  1757
  
    
  return $errors;


  		




  1732
  1758
  
    
}


  		




  1733
  1759
  
    

  		




  1734
  1760
  
    
/**


  		












Formats disponibles :  Unified diff