I'm attempting to validate a file using hook_file_validate() but the check for insecure uploads alters the file's URI by appending ".txt". The problem is that in hook_file_validate, I cannot use that altered URI to locate the file. Also, there is nothing to tell me that the file's URI has been altered due to security concerns.

There is no need to alter the $file->uri before validation, since it's reconstructed later based on the munged filename.

CommentFileSizeAuthor
#19 file_save_upload_actual_uri_1815504_19.patch735 bytesroderik
#13 file_save_upload_actual_uri_1815504_1.patch655 bytespwolanin
#8 1815504-8-D8.patch877 bytespwolanin
#5 1815504-5-D8.patch1.56 KBpwolanin
#1 file_save_upload_actual_uri_1815504_1.patch655 bytesKevin Hankens
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Kevin Hankens’s picture

Kevin Hankens CreditAttribution: Kevin Hankens commented
Status: Active » Needs review
FileSize
file_save_upload_actual_uri_1815504_1.patch655 bytes
Chithra K’s picture

Chithra K CreditAttribution: Chithra K commented

#1: file_save_upload_actual_uri_1815504_1.patch queued for re-testing.

pwolanin’s picture

pwolanin CreditAttribution: pwolanin commented
Version: 7.x-dev » 8.x-dev
Issue summary: View changes

Needs to be fixed in 8.x first

pwolanin’s picture

pwolanin CreditAttribution: pwolanin commented

Note that I think this change is indeed harmless since later in file_save_upload we assign the uri based on the (munged) filename:

 $file->uri = $file->destination;

At the point when the removed line is changing it it still has the value:

$file->uri      = $_FILES['files']['tmp_name'][$source];

So it does seem pointless to munge this temporary uri

pwolanin’s picture

pwolanin CreditAttribution: pwolanin commented
FileSize
1815504-5-D8.patch1.56 KB

Here's a D8 patch

pwolanin’s picture

pwolanin CreditAttribution: pwolanin commented
Issue summary: View changes
scor’s picture

scor CreditAttribution: scor commented
Status: Needs review » Needs work 
+++ b/core/modules/file/file.module
@@ -939,7 +939,7 @@ function file_save_upload($form_field_name, array &$form_state, $validators = ar
     // directory. This overcomes open_basedir restrictions for future file
     // operations.
-    $file->uri = $file->destination;
+    $file->setFileUri($file->destination);
     if (!drupal_move_uploaded_file($file_info->getRealPath(), $file->getFileUri())) {

This fix seems unrelated. I've moved it to #2155245: Use proper methods instead of directly calling $file->filename and $file->uri which includes other fixes.

pwolanin’s picture

pwolanin CreditAttribution: pwolanin commented
Status: Needs work » Needs review
FileSize
1815504-8-D8.patch877 bytes

ok, here's just the minimal fix.

scor’s picture

scor CreditAttribution: scor commented
Status: Needs review » Reviewed & tested by the community

I tested this patch on my localhost, and on my system at least, the tmp file URI is something like /tmp/phpIf1VLU so there is no need to add a .txt extension to it at this point.

Like others have said, the URI is construct later based on the filename which has the .txt extension, so there is no need to worry about adding the extension to the URI explicitly:

    ...
    $file->destination = file_destination($destination . $file->getFilename(), $replace);
    ...
    $file->uri = $file->destination;

Note that the D7 version of this patch has been running on more than 40K sites hosted on drupalgardens.com for the last 12 months without causing any issue.

xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm commented

8: 1815504-8-D8.patch queued for re-testing.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott commented
Status: Reviewed & tested by the community » Fixed

Committed c28e514 and pushed to 8.x. Thanks!

scor’s picture

scor CreditAttribution: scor commented
Version: 8.x-dev » 7.x-dev
Status: Fixed » Patch (to be ported)
pwolanin’s picture

pwolanin CreditAttribution: pwolanin commented
Status: Patch (to be ported) » Needs review
FileSize
file_save_upload_actual_uri_1815504_1.patch655 bytes

re-posting Kervin's patch from #1

scor’s picture

scor CreditAttribution: scor commented

Maybe with the nice comment you wrote in #5?
// The destination filename will also later be used to create the URI.

  • alexpott committed c28e514 on 8.3.x 
    Issue #1815504 by pwolanin, Kevin Hankens: File_save_upload() should not...

  • alexpott committed c28e514 on 8.3.x 
    Issue #1815504 by pwolanin, Kevin Hankens: File_save_upload() should not...

  • alexpott committed c28e514 on 8.4.x 
    Issue #1815504 by pwolanin, Kevin Hankens: File_save_upload() should not...

  • alexpott committed c28e514 on 8.4.x 
    Issue #1815504 by pwolanin, Kevin Hankens: File_save_upload() should not...
roderik’s picture

roderik
Primary language Dutch
Location Amsterdam,NL / Budapest,HU
CreditAttribution: roderik at Cheppers for Acquia commented
FileSize
file_save_upload_actual_uri_1815504_19.patch735 bytes

Comment added per suggestion.

ksenzee’s picture

ksenzee
she/her
Location Seattle area
CreditAttribution: ksenzee at Smartsheet commented
Status: Needs review » Reviewed & tested by the community

Looks right to me. Time to get this in!

David_Rothstein’s picture

David_Rothstein CreditAttribution: David_Rothstein as a volunteer commented
Status: Reviewed & tested by the community » Fixed
Issue tags: +7.60 release notes

Committed to 7.x - thanks!

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.