[BUGFIX] Normalize filename of uploaded files

The filename of uploaded files might not be encoded as normalized unicode. For instance, this happens when using umlauts in filenames on HFS+ filesystem (macOS). For instance the client sends an `ö`, which is sent in NFD as `0x6fcc88`, but should be normalized as `0xc3b6`. https://en.wikipedia.org/wiki/Unicode_equivalence#Normalization Executed commands: composer req symfony/polyfill-intl-normalizer:^1.27 composer req symfony/polyfill-intl-normalizer:^1.27 \ -d typo3/sysext/core --no-update Resolves: #101253 Releases: main, 12.4, 11.5 Change-Id: I8605481ffdc3b5d96f529850bf09a1fd75d09cd2 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/79837 Tested-by: core-ci <typo3@b13.com> Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3 · Jul 6, 2023 · ec7617f · ec7617f
1 parent f74aa72
commit ec7617f
Show file tree

Hide file tree

Showing 7 changed files with 20 additions and 3 deletions.
diff --git a/composer.json b/composer.json
@@ -87,6 +87,7 @@
 		"symfony/messenger": "^6.2",
 		"symfony/mime": "^6.2",
 		"symfony/options-resolver": "^6.2",
+		"symfony/polyfill-intl-normalizer": "^1.27",
 		"symfony/property-access": "^6.2",
 		"symfony/property-info": "^6.2.11",
 		"symfony/rate-limiter": "^6.2",

diff --git a/composer.lock b/composer.lock
diff --git a/typo3/sysext/core/Classes/Http/UploadedFile.php b/typo3/sysext/core/Classes/Http/UploadedFile.php
@@ -74,7 +74,10 @@ public function __construct($input, int $size, int $errorStatus, ?string $client
         }
         $this->error = $errorStatus;
 
-        $this->clientFilename = $clientFilename;
+        if ($clientFilename !== null) {
+            $clientFilename = \Normalizer::normalize($clientFilename);
+        }
+        $this->clientFilename = is_string($clientFilename) ? $clientFilename : null;
         $this->clientMediaType = $clientMediaType;
     }
 

diff --git a/typo3/sysext/core/Classes/Resource/ResourceStorage.php b/typo3/sysext/core/Classes/Resource/ResourceStorage.php
@@ -2098,7 +2098,7 @@ public function addUploadedFile(array|UploadedFile $uploadedFileData, Folder $ta
         } else {
             $localFilePath = $uploadedFileData['tmp_name'];
             if ($targetFileName === null) {
-                $targetFileName = $uploadedFileData['name'];
+                $targetFileName = \Normalizer::normalize($uploadedFileData['name']);
             }
             $size = $uploadedFileData['size'];
         }

diff --git a/typo3/sysext/core/Classes/Utility/File/ExtendedFileUtility.php b/typo3/sysext/core/Classes/Utility/File/ExtendedFileUtility.php
@@ -1049,6 +1049,7 @@ public function func_upload($cmds)
                 'size' => [$uploadedFileData['size']],
             ];
         }
+        $uploadedFileData['name'] = array_map(\Normalizer::normalize(...), $uploadedFileData['name']);
         $resultObjects = [];
         $numberOfUploadedFilesForPosition = count($uploadedFileData['name']);
         // Loop through all uploaded files

diff --git a/typo3/sysext/core/Tests/Unit/Http/UploadedFileTest.php b/typo3/sysext/core/Tests/Unit/Http/UploadedFileTest.php
@@ -180,4 +180,15 @@ public function getGetStreamRaisesExceptionAfterMove(): void
         $this->expectExceptionCode(1436717306);
         $upload->getStream();
     }
+
+    /**
+     * see https://en.wikipedia.org/wiki/Unicode_equivalence#Normalization, "NFD"
+     * @test
+     */
+    public function nfdFileNameIsNormalized(): void
+    {
+        $clientFileName = hex2bin('6fcc88') . '.png';
+        $subject = new UploadedFile(fopen('php://temp', 'wb+'), 0, 0, $clientFileName);
+        self::assertSame(hex2bin('c3b6') . '.png', $subject->getClientFilename());
+    }
 }
diff --git a/typo3/sysext/core/composer.json b/typo3/sysext/core/composer.json
@@ -66,6 +66,7 @@
 		"symfony/messenger": "^6.2",
 		"symfony/mime": "^6.2",
 		"symfony/options-resolver": "^6.2",
+		"symfony/polyfill-intl-normalizer": "^1.27",
 		"symfony/rate-limiter": "^6.2",
 		"symfony/routing": "^6.2",
 		"symfony/uid": "^6.2",