Fixed that problematic characters in 'fileDestination' has not been sanatized.

738eea62 · Carsten Rose · 8387ac5f · 738eea62 · 738eea62 · 738eea62
Commit 738eea62 authored Mar 19, 2018 by Carsten Rose
--- a/extension/qfq/qfq/Save.php
+++ b/extension/qfq/qfq/Save.php
@@ -551,6 +551,7 @@ class Save {
            $this->store->appendToStore(HelperFile::pathinfo($origFilename), STORE_VAR);

            $pathFileName = $this->evaluate->parse($formElement[FE_FILE_DESTINATION]);
+            $pathFileName = Sanitize::safeFilename($pathFileName, false, true); // Dynamically calculated pathFileName might contain invalid characters.

            // Saved in store for later use during 'Advanced Upload'-post processing
            $this->store->setVar(VAR_FILE_DESTINATION, $pathFileName, STORE_VAR);

--- a/extension/qfq/qfq/helper/Sanitize.php
+++ b/extension/qfq/qfq/helper/Sanitize.php
@@ -168,7 +168,11 @@ class Sanitize {
     *
     * @return mixed
     */
-    public static function safeFilename($filename, $flagBaseName = false) {
+    public static function safeFilename($filename, $flagBaseName = false, $allowSlash = false) {
+
+        // Disallow 'none alphanumeric'. Allow dot or underscore and conditionally '/'.
+        $pattern = ($allowSlash) ? '([^[:alnum:]._/])' : '([^[:alnum:]._])';
+
        $search = array(
            // Definition of German Umlauts START
            '/ß/',
@@ -176,7 +180,7 @@ class Sanitize {
            '/ö/', '/Ö/',
            '/ü/', '/Ü/',
            // Definition of German Umlauts ENDE
-            '([^[:alnum:]._])' // Disallow 'none alphanumeric'. Allow dot or underscore.
+            $pattern,
        );

        $replace = array(

--- a/extension/qfq/tests/phpunit/SanitizeTest.php
+++ b/extension/qfq/tests/phpunit/SanitizeTest.php
@@ -315,5 +315,26 @@ class SanitizeTest extends \PHPUnit_Framework_TestCase {

        $value = '`~!@#$%^&*()_+=-[]{}\|;:\'"/?.> ,<`';
        $this->assertEquals('____________________________._____', Sanitize::safeFilename($value), 'Alnum string with umlaut');
+
+
+        $value = '';
+        $this->assertEquals($value, Sanitize::safeFilename($value, true), 'Empty string');
+
+        $value = 'test';
+        $this->assertEquals('test', Sanitize::safeFilename($value, true));
+
+        $value = 'test,./hello?ö';
+        $this->assertEquals('hello_oe', Sanitize::safeFilename($value, true));
+
+
+        $value = '';
+        $this->assertEquals($value, Sanitize::safeFilename($value, false, true), 'Empty string');
+
+        $value = 'test';
+        $this->assertEquals('test', Sanitize::safeFilename($value, false, true));
+
+        $value = 'test,./?ö';
+        $this->assertEquals('test_./_oe', Sanitize::safeFilename($value, false, true));
+
    }
 }