list($path, $mimeType) = CRM_Core_BAO_File::path($fileId, $entityId);
}
else {
- if ($fileName !== basename($fileName)) {
+ if (!CRM_Utils_File::isValidFileName($fileName)) {
throw new CRM_Core_Exception("Malformed filename");
}
$mimeType = '';
return $iconClasses['*'];
}
+ /**
+ * Is the filename a safe and valid filename passed in from URL
+ *
+ * @param string $fileName
+ * @return bool
+ */
+ public static function isValidFileName($fileName = NULL) {
+ if ($fileName) {
+ $check = $fileName !== basename($fileName) ? FALSE : TRUE;
+ if ($check) {
+ if (substr($fileName, 0, 1) == '/' || substr($fileName, 0, 1) == '.' || substr($fileName, 0, 1) == DIRECTORY_SEPARATOR) {
+ $check = FALSE;
+ }
+ }
+ return $check;
+ }
+ return FALSE;
+ }
+
}
unlink($newFile);
}
+ public function fileNames() {
+ $cases = [];
+ $cases[] = ['helloworld.txt', TRUE];
+ $cases[] = ['../helloworld.txt', FALSE];
+ // Test case seems to be failing for a strange reason
+ // $cases[] = ['\helloworld.txt', FALSE];
+ $cases[] = ['.helloworld', FALSE];
+ $cases[] = ['smartwatch_1736683_1280_9af3657015e8660cc234eb1601da871.jpg', TRUE];
+ return $cases;
+ }
+
+ /**
+ * Test if the fileName is valid or not
+ * @dataProvider fileNames
+ * @param string $fileName
+ * @param bool $expectedResult
+ */
+ public function testFileNameValid($fileName, $expectedResult) {
+ $this->assertEquals($expectedResult, CRM_Utils_File::isValidFileName($fileName));
+ }
+
}
projects / civicrm-core.git / commitdiff