Some of the example code in Examples makes it easy to write code that does not properly sanitize file names. Drupal core exarcibates this problem by not providing any functions to sanitize them. And it is a non-trivial problem to solve.

There is a patch to fix this in core:

#2472895: Provide file name sanitization functions

Attached is a patch to improve Examples module to encourage secure code. It depends on that patch. In the meantime, another simpler patch may be desirable.

CommentFileSizeAuthor
file_check_destination-examples.patch7.89 KBBevan
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Mile23’s picture

Mile23
Primary language English
Location Seattle, WA
CreditAttribution: Mile23 commented
Version: 7.x-1.x-dev » 8.x-1.x-dev
Status: Needs review » Postponed

Good stuff, but I'd much rather see that implemented in core and then just used here as an API.

Also, let's concentrate on 8.x-1.x for examples project feature requests.

I'm going to move this to 8.x-1.x and if it lands in core we can implement it that way and do a 7.x patch as needed.

Status: Postponed » Needs work

The last submitted patch, file_check_destination-examples.patch, failed testing.

Mile23’s picture

Mile23
Primary language English
Location Seattle, WA
CreditAttribution: Mile23 commented
Status: Needs work » Postponed
Mile23’s picture

Mile23
Primary language English
Location Seattle, WA
CreditAttribution: Mile23 commented
Category: Bug report » Feature request