Problem/Motivation

The FileExampleSubmitHandlerHelper class contains the following comment and code.

// To ensure that the filename is valid, strip off any potential file
// portion from the stream wrapper. If the filename includes a malicious
// file extension, it will be neutralized by the event subscriber of the
// FileUploadSanitizeNameEvent. This process helps to maintain the security
// of the system and prevent any potential harm from malicious files.
$event = new FileUploadSanitizeNameEvent($filename, 'txt');
$this->eventDispatcher->dispatch($event);
$dirname = $this->fileSystem->dirname($uri);

What reported in that comment is not correct: A malicious file extension will not be neutralized by the FileUploadSanitizeNameEvent event subscriber. That is described in New filename sanitization settings during upload (via UI or REST), new sanitization Event, changes to FileUploadResource constructor, which states:

Core now dispatches a \Drupal\file\Event\FileUploadSanitizeNameEvent whenever a file is uploaded (either via the UI or via REST). Event subscribers can modify and sanitize the filename (but not extension) before the file is saved.

(Emphases is mine.)

It can be also verified with code similar to the following one.

$eventDispatcher = \Drupal::service('event_dispatcher');
$filename = 'zippy.php';
rawdebug('BEFORE', $filename);
$event = new FileUploadSanitizeNameEvent($filename, 'txt');
$eventDispatcher->dispatch($event);
$filename2 = $event->getFilename();
rawdebug('AFTER2', $filename2);
exit;

What that code shows for $filename2 is 'zippy.php'.

Proposed resolution

Change the code to modify the file extension, if that is not the expected one.

Issue fork examples-3582327

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

Comments

tolstoydotcom created an issue. See original summary.

avpaderno’s picture

Title: Correct inaccurate documentation of FileUploadSanitizeNameEvent » FileExampleSubmitHandlerHelper needs to sanitize the file extension
Component: Documentation » Code
Issue summary: View changes
avpaderno’s picture

Issue tags: +Security improvements

avpaderno’s picture

Status: Active » Needs review

  • avpaderno committed 8c15a135 on 4.0.x
    Issue #3582327: FileExampleSubmitHandlerHelper needs to sanitize the...
avpaderno’s picture

Status: Needs review » Fixed

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.