Problem/Motivation
The FileExampleSubmitHandlerHelper class contains the following comment and code.
// To ensure that the filename is valid, strip off any potential file
// portion from the stream wrapper. If the filename includes a malicious
// file extension, it will be neutralized by the event subscriber of the
// FileUploadSanitizeNameEvent. This process helps to maintain the security
// of the system and prevent any potential harm from malicious files.
$event = new FileUploadSanitizeNameEvent($filename, 'txt');
$this->eventDispatcher->dispatch($event);
$dirname = $this->fileSystem->dirname($uri);
What reported in that comment is not correct: A malicious file extension will not be neutralized by the FileUploadSanitizeNameEvent event subscriber. That is described in New filename sanitization settings during upload (via UI or REST), new sanitization Event, changes to FileUploadResource constructor, which states:
Core now dispatches a
\Drupal\file\Event\FileUploadSanitizeNameEventwhenever a file is uploaded (either via the UI or via REST). Event subscribers can modify and sanitize the filename (but not extension) before the file is saved.
(Emphases is mine.)
It can be also verified with code similar to the following one.
$eventDispatcher = \Drupal::service('event_dispatcher');
$filename = 'zippy.php';
rawdebug('BEFORE', $filename);
$event = new FileUploadSanitizeNameEvent($filename, 'txt');
$eventDispatcher->dispatch($event);
$filename2 = $event->getFilename();
rawdebug('AFTER2', $filename2);
exit;
What that code shows for $filename2 is 'zippy.php'.
Proposed resolution
Change the code to modify the file extension, if that is not the expected one.
Issue fork examples-3582327
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #2
avpadernoComment #3
avpadernoComment #5
avpadernoComment #7
avpaderno