Commit 738eea62 authored by Carsten  Rose's avatar Carsten Rose
Browse files

Fixed that problematic characters in 'fileDestination' has not been sanatized.

parent 8387ac5f
......@@ -551,6 +551,7 @@ class Save {
$this->store->appendToStore(HelperFile::pathinfo($origFilename), STORE_VAR);
$pathFileName = $this->evaluate->parse($formElement[FE_FILE_DESTINATION]);
$pathFileName = Sanitize::safeFilename($pathFileName, false, true); // Dynamically calculated pathFileName might contain invalid characters.
// Saved in store for later use during 'Advanced Upload'-post processing
$this->store->setVar(VAR_FILE_DESTINATION, $pathFileName, STORE_VAR);
......
......@@ -168,7 +168,11 @@ class Sanitize {
*
* @return mixed
*/
public static function safeFilename($filename, $flagBaseName = false) {
public static function safeFilename($filename, $flagBaseName = false, $allowSlash = false) {
// Disallow 'none alphanumeric'. Allow dot or underscore and conditionally '/'.
$pattern = ($allowSlash) ? '([^[:alnum:]._/])' : '([^[:alnum:]._])';
$search = array(
// Definition of German Umlauts START
'/ß/',
......@@ -176,7 +180,7 @@ class Sanitize {
'/ö/', '/Ö/',
'/ü/', '/Ü/',
// Definition of German Umlauts ENDE
'([^[:alnum:]._])' // Disallow 'none alphanumeric'. Allow dot or underscore.
$pattern,
);
$replace = array(
......
......@@ -315,5 +315,26 @@ class SanitizeTest extends \PHPUnit_Framework_TestCase {
$value = '`~!@#$%^&*()_+=-[]{}\|;:\'"/?.> ,<`';
$this->assertEquals('____________________________._____', Sanitize::safeFilename($value), 'Alnum string with umlaut');
$value = '';
$this->assertEquals($value, Sanitize::safeFilename($value, true), 'Empty string');
$value = 'test';
$this->assertEquals('test', Sanitize::safeFilename($value, true));
$value = 'test,./hello?ö';
$this->assertEquals('hello_oe', Sanitize::safeFilename($value, true));
$value = '';
$this->assertEquals($value, Sanitize::safeFilename($value, false, true), 'Empty string');
$value = 'test';
$this->assertEquals('test', Sanitize::safeFilename($value, false, true));
$value = 'test,./?ö';
$this->assertEquals('test_./_oe', Sanitize::safeFilename($value, false, true));
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment