Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I'm attempting to validate a file using hook_file_validate() but the check for insecure uploads alters the file's URI by appending ".txt". The problem is that in hook_file_validate, I cannot use that altered URI to locate the file. Also, there is nothing to tell me that the file's URI has been altered due to security concerns.
There is no need to alter the $file->uri before validation, since it's reconstructed later based on the munged filename.
Comment | File | Size | Author |
---|---|---|---|
#19 | file_save_upload_actual_uri_1815504_19.patch | 735 bytes | roderik |
#8 | 1815504-8-D8.patch | 877 bytes | pwolanin |
#1 | file_save_upload_actual_uri_1815504_1.patch | 655 bytes | Kevin Hankens |
Comments
Comment #1
Kevin Hankens CreditAttribution: Kevin Hankens commentedComment #2
Chithra K CreditAttribution: Chithra K commented#1: file_save_upload_actual_uri_1815504_1.patch queued for re-testing.
Comment #3
pwolanin CreditAttribution: pwolanin commentedNeeds to be fixed in 8.x first
Comment #4
pwolanin CreditAttribution: pwolanin commentedNote that I think this change is indeed harmless since later in file_save_upload we assign the uri based on the (munged) filename:
At the point when the removed line is changing it it still has the value:
So it does seem pointless to munge this temporary uri
Comment #5
pwolanin CreditAttribution: pwolanin commentedHere's a D8 patch
Comment #6
pwolanin CreditAttribution: pwolanin commentedComment #7
scor CreditAttribution: scor commentedThis fix seems unrelated. I've moved it to #2155245: Use proper methods instead of directly calling $file->filename and $file->uri which includes other fixes.
Comment #8
pwolanin CreditAttribution: pwolanin commentedok, here's just the minimal fix.
Comment #9
scor CreditAttribution: scor commentedI tested this patch on my localhost, and on my system at least, the tmp file URI is something like /tmp/phpIf1VLU so there is no need to add a .txt extension to it at this point.
Like others have said, the URI is construct later based on the filename which has the .txt extension, so there is no need to worry about adding the extension to the URI explicitly:
Note that the D7 version of this patch has been running on more than 40K sites hosted on drupalgardens.com for the last 12 months without causing any issue.
Comment #10
xjm8: 1815504-8-D8.patch queued for re-testing.
Comment #11
alexpottCommitted c28e514 and pushed to 8.x. Thanks!
Comment #12
scor CreditAttribution: scor commentedComment #13
pwolanin CreditAttribution: pwolanin commentedre-posting Kervin's patch from #1
Comment #14
scor CreditAttribution: scor commentedMaybe with the nice comment you wrote in #5?
// The destination filename will also later be used to create the URI.
Comment #19
roderikComment added per suggestion.
Comment #20
ksenzeeLooks right to me. Time to get this in!
Comment #21
David_Rothstein CreditAttribution: David_Rothstein as a volunteer commentedCommitted to 7.x - thanks!