[BUGFIX] Unify the filename sanitation for upload, create, rename 89/56089/6
authorWolfgang Klinger <wolfgang@wazum.com>
Fri, 9 Mar 2018 22:40:40 +0000 (23:40 +0100)
committerAndreas Wolf <andreas.wolf@typo3.org>
Sun, 18 Mar 2018 11:51:54 +0000 (12:51 +0100)
isValidFilename allows other characters in file names
than sanitizeFileName. This patch sanitizes new file
names automatically (like it’s done for uploads) and
adds a warning for the user about the invalid original
file name for upload, create and rename.

Resolves: #84178
Releases: master, 8.7
Change-Id: I8f5ff6a0c601f0227c40fe7b401eeb15159b29a6
Reviewed-on: https://review.typo3.org/56089
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Mathias Brodala <mbrodala@pagemachine.de>
Tested-by: Mathias Brodala <mbrodala@pagemachine.de>
Reviewed-by: Frans Saris <franssaris@gmail.com>
Reviewed-by: Andreas Wolf <andreas.wolf@typo3.org>
Tested-by: Andreas Wolf <andreas.wolf@typo3.org>
typo3/sysext/core/Classes/Resource/Driver/LocalDriver.php
typo3/sysext/core/Classes/Utility/File/ExtendedFileUtility.php
typo3/sysext/core/Resources/Private/Language/fileMessages.xlf

index 7a62d3a..f816aae 100644 (file)
@@ -1299,20 +1299,14 @@ class LocalDriver extends AbstractHierarchicalFilesystemDriver
      * @param string $fileName
      * @param string $parentFolderIdentifier
      * @return string
-     * @throws Exception\InvalidFileNameException
      * @throws \RuntimeException
      */
     public function createFile($fileName, $parentFolderIdentifier)
     {
-        if (!$this->isValidFilename($fileName)) {
-            throw new Exception\InvalidFileNameException(
-                'Invalid characters in fileName "' . $fileName . '"',
-                1320572272
-            );
-        }
+        $fileName = $this->sanitizeFileName(ltrim($fileName, '/'));
         $parentFolderIdentifier = $this->canonicalizeAndCheckFolderIdentifier($parentFolderIdentifier);
         $fileIdentifier = $this->canonicalizeAndCheckFileIdentifier(
-            $parentFolderIdentifier . $this->sanitizeFileName(ltrim($fileName, '/'))
+            $parentFolderIdentifier . $fileName
         );
         $absoluteFilePath = $this->getAbsolutePath($fileIdentifier);
         $result = touch($absoluteFilePath);
index 64235d5..59766fb 100644 (file)
@@ -824,8 +824,13 @@ class ExtendedFileUtility extends BasicFileUtility
             try {
                 // Try to rename the File
                 $resultObject = $sourceFileObject->rename($targetFile, $this->existingFilesConflictMode);
-                $this->writeLog(5, 0, 1, 'File renamed from "%s" to "%s"', [$sourceFile, $targetFile]);
-                if ($sourceFile === $targetFile) {
+                if ($resultObject->getName() !== $targetFile) {
+                    $this->writeLog(5, 1, 1, 'File renamed from "%s" to "%s". Filename had to be sanitized!', [$sourceFile, $targetFile]);
+                    $this->addMessageToFlashMessageQueue('FileUtility.FileNameSanitized', [$targetFile, $resultObject->getName()], FlashMessage::WARNING);
+                } else {
+                    $this->writeLog(5, 0, 1, 'File renamed from "%s" to "%s"', [$sourceFile, $targetFile]);
+                }
+                if ($sourceFile === $resultObject->getName()) {
                     $this->addMessageToFlashMessageQueue('FileUtility.FileRenamedSameName', [$sourceFile], FlashMessage::INFO);
                 } else {
                     $this->addMessageToFlashMessageQueue('FileUtility.FileRenamedFromTo', [$sourceFile, $resultObject->getName()], FlashMessage::OK);
@@ -939,7 +944,10 @@ class ExtendedFileUtility extends BasicFileUtility
         try {
             $resultObject = $targetFolderObject->createFile($fileName);
             $this->writeLog(8, 0, 1, 'File created: "%s"', [$fileName]);
-            $this->addMessageToFlashMessageQueue('FileUtility.FileCreated', [$fileName], FlashMessage::OK);
+            if ($resultObject->getName() !== $fileName) {
+                $this->addMessageToFlashMessageQueue('FileUtility.FileNameSanitized', [$fileName, $resultObject->getName()], FlashMessage::WARNING);
+            }
+            $this->addMessageToFlashMessageQueue('FileUtility.FileCreated', [$resultObject->getName()], FlashMessage::OK);
         } catch (IllegalFileExtensionException $e) {
             $this->writeLog(8, 1, 106, 'Extension of file "%s" was not allowed!', [$fileName]);
             $this->addMessageToFlashMessageQueue('FileUtility.ExtensionOfFileWasNotAllowed', [$fileName]);
@@ -1077,6 +1085,9 @@ class ExtendedFileUtility extends BasicFileUtility
                 }
                 $resultObjects[] = $fileObject;
                 $this->internalUploadMap[$uploadPosition] = $fileObject->getCombinedIdentifier();
+                if ($fileObject->getName() !== $fileInfo['name']) {
+                    $this->addMessageToFlashMessageQueue('FileUtility.FileNameSanitized', [$fileInfo['name'], $fileObject->getName()], FlashMessage::WARNING);
+                }
                 $this->writeLog(1, 0, 1, 'Uploading file "%s" to "%s"', [$fileInfo['name'], $targetFolderObject->getIdentifier()]);
                 $this->addMessageToFlashMessageQueue('FileUtility.UploadingFileTo', [$fileInfo['name'], $targetFolderObject->getIdentifier()], FlashMessage::OK);
             } catch (InsufficientFileWritePermissionsException $e) {
index c0b5b17..535dc0c 100644 (file)
@@ -75,6 +75,9 @@
                        <trans-unit id="FileUtility.FileCreated">
                                <source>File created: "%s".</source>
                        </trans-unit>
+                       <trans-unit id="FileUtility.FileNameSanitized">
+                               <source>The file name "%s" is invalid, the file was automatically renamed to "%s".</source>
+                       </trans-unit>
                        <trans-unit id="FileUtility.FileExistedAlreadyIn">
                                <source>File existed already in "%s"!</source>
                        </trans-unit>