From cb905282b1cbc6e222697b1872d3efa987f800b5 Mon Sep 17 00:00:00 2001
From: Wolfgang Klinger <wolfgang@wazum.com>
Date: Fri, 9 Mar 2018 23:40:40 +0100
Subject: [PATCH] [BUGFIX] Unify the filename sanitation for upload, create,
 rename
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

isValidFilename allows other characters in file names
than sanitizeFileName. This patch sanitizes new file
names automatically (like it’s done for uploads) and
adds a warning for the user about the invalid original
file name for upload, create and rename.

Resolves: #84178
Releases: master, 8.7
Change-Id: I8f5ff6a0c601f0227c40fe7b401eeb15159b29a6
Reviewed-on: https://review.typo3.org/56089
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Mathias Brodala <mbrodala@pagemachine.de>
Tested-by: Mathias Brodala <mbrodala@pagemachine.de>
Reviewed-by: Frans Saris <franssaris@gmail.com>
Reviewed-by: Andreas Wolf <andreas.wolf@typo3.org>
Tested-by: Andreas Wolf <andreas.wolf@typo3.org>
---
 .../Classes/Resource/Driver/LocalDriver.php     | 10 ++--------
 .../Utility/File/ExtendedFileUtility.php        | 17 ++++++++++++++---
 .../Resources/Private/Language/fileMessages.xlf |  3 +++
 3 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/typo3/sysext/core/Classes/Resource/Driver/LocalDriver.php b/typo3/sysext/core/Classes/Resource/Driver/LocalDriver.php
index 7a62d3a61d6a..f816aae79961 100644
--- a/typo3/sysext/core/Classes/Resource/Driver/LocalDriver.php
+++ b/typo3/sysext/core/Classes/Resource/Driver/LocalDriver.php
@@ -1299,20 +1299,14 @@ public function isWithin($folderIdentifier, $identifier)
      * @param string $fileName
      * @param string $parentFolderIdentifier
      * @return string
-     * @throws Exception\InvalidFileNameException
      * @throws \RuntimeException
      */
     public function createFile($fileName, $parentFolderIdentifier)
     {
-        if (!$this->isValidFilename($fileName)) {
-            throw new Exception\InvalidFileNameException(
-                'Invalid characters in fileName "' . $fileName . '"',
-                1320572272
-            );
-        }
+        $fileName = $this->sanitizeFileName(ltrim($fileName, '/'));
         $parentFolderIdentifier = $this->canonicalizeAndCheckFolderIdentifier($parentFolderIdentifier);
         $fileIdentifier = $this->canonicalizeAndCheckFileIdentifier(
-            $parentFolderIdentifier . $this->sanitizeFileName(ltrim($fileName, '/'))
+            $parentFolderIdentifier . $fileName
         );
         $absoluteFilePath = $this->getAbsolutePath($fileIdentifier);
         $result = touch($absoluteFilePath);
diff --git a/typo3/sysext/core/Classes/Utility/File/ExtendedFileUtility.php b/typo3/sysext/core/Classes/Utility/File/ExtendedFileUtility.php
index 64235d5439cb..59766fbb07f0 100644
--- a/typo3/sysext/core/Classes/Utility/File/ExtendedFileUtility.php
+++ b/typo3/sysext/core/Classes/Utility/File/ExtendedFileUtility.php
@@ -824,8 +824,13 @@ public function func_rename($cmds)
             try {
                 // Try to rename the File
                 $resultObject = $sourceFileObject->rename($targetFile, $this->existingFilesConflictMode);
-                $this->writeLog(5, 0, 1, 'File renamed from "%s" to "%s"', [$sourceFile, $targetFile]);
-                if ($sourceFile === $targetFile) {
+                if ($resultObject->getName() !== $targetFile) {
+                    $this->writeLog(5, 1, 1, 'File renamed from "%s" to "%s". Filename had to be sanitized!', [$sourceFile, $targetFile]);
+                    $this->addMessageToFlashMessageQueue('FileUtility.FileNameSanitized', [$targetFile, $resultObject->getName()], FlashMessage::WARNING);
+                } else {
+                    $this->writeLog(5, 0, 1, 'File renamed from "%s" to "%s"', [$sourceFile, $targetFile]);
+                }
+                if ($sourceFile === $resultObject->getName()) {
                     $this->addMessageToFlashMessageQueue('FileUtility.FileRenamedSameName', [$sourceFile], FlashMessage::INFO);
                 } else {
                     $this->addMessageToFlashMessageQueue('FileUtility.FileRenamedFromTo', [$sourceFile, $resultObject->getName()], FlashMessage::OK);
@@ -939,7 +944,10 @@ public function func_newfile($cmds)
         try {
             $resultObject = $targetFolderObject->createFile($fileName);
             $this->writeLog(8, 0, 1, 'File created: "%s"', [$fileName]);
-            $this->addMessageToFlashMessageQueue('FileUtility.FileCreated', [$fileName], FlashMessage::OK);
+            if ($resultObject->getName() !== $fileName) {
+                $this->addMessageToFlashMessageQueue('FileUtility.FileNameSanitized', [$fileName, $resultObject->getName()], FlashMessage::WARNING);
+            }
+            $this->addMessageToFlashMessageQueue('FileUtility.FileCreated', [$resultObject->getName()], FlashMessage::OK);
         } catch (IllegalFileExtensionException $e) {
             $this->writeLog(8, 1, 106, 'Extension of file "%s" was not allowed!', [$fileName]);
             $this->addMessageToFlashMessageQueue('FileUtility.ExtensionOfFileWasNotAllowed', [$fileName]);
@@ -1077,6 +1085,9 @@ public function func_upload($cmds)
                 }
                 $resultObjects[] = $fileObject;
                 $this->internalUploadMap[$uploadPosition] = $fileObject->getCombinedIdentifier();
+                if ($fileObject->getName() !== $fileInfo['name']) {
+                    $this->addMessageToFlashMessageQueue('FileUtility.FileNameSanitized', [$fileInfo['name'], $fileObject->getName()], FlashMessage::WARNING);
+                }
                 $this->writeLog(1, 0, 1, 'Uploading file "%s" to "%s"', [$fileInfo['name'], $targetFolderObject->getIdentifier()]);
                 $this->addMessageToFlashMessageQueue('FileUtility.UploadingFileTo', [$fileInfo['name'], $targetFolderObject->getIdentifier()], FlashMessage::OK);
             } catch (InsufficientFileWritePermissionsException $e) {
diff --git a/typo3/sysext/core/Resources/Private/Language/fileMessages.xlf b/typo3/sysext/core/Resources/Private/Language/fileMessages.xlf
index c0b5b179abb7..535dc0cde6e7 100644
--- a/typo3/sysext/core/Resources/Private/Language/fileMessages.xlf
+++ b/typo3/sysext/core/Resources/Private/Language/fileMessages.xlf
@@ -75,6 +75,9 @@
 			<trans-unit id="FileUtility.FileCreated">
 				<source>File created: "%s".</source>
 			</trans-unit>
+			<trans-unit id="FileUtility.FileNameSanitized">
+				<source>The file name "%s" is invalid, the file was automatically renamed to "%s".</source>
+			</trans-unit>
 			<trans-unit id="FileUtility.FileExistedAlreadyIn">
 				<source>File existed already in "%s"!</source>
 			</trans-unit>