[BUGFIX] Unify the filename sanitation for upload, create, rename

isValidFilename allows other characters in file names than sanitizeFileName. This patch sanitizes new file names automatically (like it’s done for uploads) and adds a warning for the user about the invalid original file name for upload, create and rename. Resolves: #84178 Releases: master, 8.7 Change-Id: I8f5ff6a0c601f0227c40fe7b401eeb15159b29a6 Reviewed-on: https://review.typo3.org/56089 Tested-by: TYPO3com <no-reply@typo3.com> Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de> Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de> Reviewed-by: Mathias Brodala <mbrodala@pagemachine.de> Tested-by: Mathias Brodala <mbrodala@pagemachine.de> Reviewed-by: Frans Saris <franssaris@gmail.com> Reviewed-by: Andreas Wolf <andreas.wolf@typo3.org> Tested-by: Andreas Wolf <andreas.wolf@typo3.org>
TYPO3 · Mar 18, 2018 · cb90528 · cb90528
1 parent ee2cee9
commit cb90528
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 11 deletions.
diff --git a/typo3/sysext/core/Classes/Resource/Driver/LocalDriver.php b/typo3/sysext/core/Classes/Resource/Driver/LocalDriver.php
@@ -1299,20 +1299,14 @@ public function isWithin($folderIdentifier, $identifier)
      * @param string $fileName
      * @param string $parentFolderIdentifier
      * @return string
-     * @throws Exception\InvalidFileNameException
      * @throws \RuntimeException
      */
     public function createFile($fileName, $parentFolderIdentifier)
     {
-        if (!$this->isValidFilename($fileName)) {
-            throw new Exception\InvalidFileNameException(
-                'Invalid characters in fileName "' . $fileName . '"',
-                1320572272
-            );
-        }
+        $fileName = $this->sanitizeFileName(ltrim($fileName, '/'));
         $parentFolderIdentifier = $this->canonicalizeAndCheckFolderIdentifier($parentFolderIdentifier);
         $fileIdentifier = $this->canonicalizeAndCheckFileIdentifier(
-            $parentFolderIdentifier . $this->sanitizeFileName(ltrim($fileName, '/'))
+            $parentFolderIdentifier . $fileName
         );
         $absoluteFilePath = $this->getAbsolutePath($fileIdentifier);
         $result = touch($absoluteFilePath);

diff --git a/typo3/sysext/core/Classes/Utility/File/ExtendedFileUtility.php b/typo3/sysext/core/Classes/Utility/File/ExtendedFileUtility.php
@@ -824,8 +824,13 @@ public function func_rename($cmds)
             try {
                 // Try to rename the File
                 $resultObject = $sourceFileObject->rename($targetFile, $this->existingFilesConflictMode);
-                $this->writeLog(5, 0, 1, 'File renamed from "%s" to "%s"', [$sourceFile, $targetFile]);
-                if ($sourceFile === $targetFile) {
+                if ($resultObject->getName() !== $targetFile) {
+                    $this->writeLog(5, 1, 1, 'File renamed from "%s" to "%s". Filename had to be sanitized!', [$sourceFile, $targetFile]);
+                    $this->addMessageToFlashMessageQueue('FileUtility.FileNameSanitized', [$targetFile, $resultObject->getName()], FlashMessage::WARNING);
+                } else {
+                    $this->writeLog(5, 0, 1, 'File renamed from "%s" to "%s"', [$sourceFile, $targetFile]);
+                }
+                if ($sourceFile === $resultObject->getName()) {
                     $this->addMessageToFlashMessageQueue('FileUtility.FileRenamedSameName', [$sourceFile], FlashMessage::INFO);
                 } else {
                     $this->addMessageToFlashMessageQueue('FileUtility.FileRenamedFromTo', [$sourceFile, $resultObject->getName()], FlashMessage::OK);
@@ -939,7 +944,10 @@ public function func_newfile($cmds)
         try {
             $resultObject = $targetFolderObject->createFile($fileName);
             $this->writeLog(8, 0, 1, 'File created: "%s"', [$fileName]);
-            $this->addMessageToFlashMessageQueue('FileUtility.FileCreated', [$fileName], FlashMessage::OK);
+            if ($resultObject->getName() !== $fileName) {
+                $this->addMessageToFlashMessageQueue('FileUtility.FileNameSanitized', [$fileName, $resultObject->getName()], FlashMessage::WARNING);
+            }
+            $this->addMessageToFlashMessageQueue('FileUtility.FileCreated', [$resultObject->getName()], FlashMessage::OK);
         } catch (IllegalFileExtensionException $e) {
             $this->writeLog(8, 1, 106, 'Extension of file "%s" was not allowed!', [$fileName]);
             $this->addMessageToFlashMessageQueue('FileUtility.ExtensionOfFileWasNotAllowed', [$fileName]);
@@ -1077,6 +1085,9 @@ public function func_upload($cmds)
                 }
                 $resultObjects[] = $fileObject;
                 $this->internalUploadMap[$uploadPosition] = $fileObject->getCombinedIdentifier();
+                if ($fileObject->getName() !== $fileInfo['name']) {
+                    $this->addMessageToFlashMessageQueue('FileUtility.FileNameSanitized', [$fileInfo['name'], $fileObject->getName()], FlashMessage::WARNING);
+                }
                 $this->writeLog(1, 0, 1, 'Uploading file "%s" to "%s"', [$fileInfo['name'], $targetFolderObject->getIdentifier()]);
                 $this->addMessageToFlashMessageQueue('FileUtility.UploadingFileTo', [$fileInfo['name'], $targetFolderObject->getIdentifier()], FlashMessage::OK);
             } catch (InsufficientFileWritePermissionsException $e) {

diff --git a/typo3/sysext/core/Resources/Private/Language/fileMessages.xlf b/typo3/sysext/core/Resources/Private/Language/fileMessages.xlf
@@ -75,6 +75,9 @@
 			<trans-unit id="FileUtility.FileCreated">
 				<source>File created: "%s".</source>
 			</trans-unit>
+			<trans-unit id="FileUtility.FileNameSanitized">
+				<source>The file name "%s" is invalid, the file was automatically renamed to "%s".</source>
+			</trans-unit>
 			<trans-unit id="FileUtility.FileExistedAlreadyIn">
 				<source>File existed already in "%s"!</source>
 			</trans-unit>