From 82236324b56efb31b20d186b4c880d5bd501115f Mon Sep 17 00:00:00 2001 From: Victor Berchet Date: Mon, 21 May 2012 15:52:36 +0200 Subject: [PATCH] [HttpFoundation] Fix the UploadedFilename name sanitization (fix #2577) --- .../HttpFoundation/File/UploadedFile.php | 4 ++- .../HttpFoundation/File/UploadedFileTest.php | 35 ++++++++++--------- 2 files changed, 21 insertions(+), 18 deletions(-) diff --git a/src/Symfony/Component/HttpFoundation/File/UploadedFile.php b/src/Symfony/Component/HttpFoundation/File/UploadedFile.php index 4e51c50010..dcd2919773 100644 --- a/src/Symfony/Component/HttpFoundation/File/UploadedFile.php +++ b/src/Symfony/Component/HttpFoundation/File/UploadedFile.php @@ -94,7 +94,9 @@ class UploadedFile extends File throw new FileException(sprintf('Unable to create UploadedFile because "file_uploads" is disabled in your php.ini file (%s)', get_cfg_var('cfg_file_path'))); } - $this->originalName = basename($originalName); + $originalName = str_replace('\\', '/', $originalName); + $pos = strrpos($originalName, '/'); + $this->originalName = false === $pos ? $originalName : substr($originalName, $pos + 1); $this->mimeType = $mimeType ?: 'application/octet-stream'; $this->size = $size; $this->error = $error ?: UPLOAD_ERR_OK; diff --git a/tests/Symfony/Tests/Component/HttpFoundation/File/UploadedFileTest.php b/tests/Symfony/Tests/Component/HttpFoundation/File/UploadedFileTest.php index 7152a00601..85879ea4a1 100644 --- a/tests/Symfony/Tests/Component/HttpFoundation/File/UploadedFileTest.php +++ b/tests/Symfony/Tests/Component/HttpFoundation/File/UploadedFileTest.php @@ -76,19 +76,6 @@ class UploadedFileTest extends \PHPUnit_Framework_TestCase $this->assertEquals(UPLOAD_ERR_OK, $file->getError()); } - public function testGetClientOriginalName() - { - $file = new UploadedFile( - __DIR__.'/Fixtures/test.gif', - 'original.gif', - 'image/gif', - filesize(__DIR__.'/Fixtures/test.gif'), - null - ); - - $this->assertEquals('original.gif', $file->getClientOriginalName()); - } - /** * @expectedException Symfony\Component\HttpFoundation\File\Exception\FileException */ @@ -132,18 +119,32 @@ class UploadedFileTest extends \PHPUnit_Framework_TestCase @unlink($targetPath); } - - public function testGetClientOriginalNameSanitizeFilename() + /** + * @dataProvider getClientFilenameFixtures + */ + public function testGetClientOriginalNameSanitizeFilename($filename, $sanitizedFilename) { $file = new UploadedFile( __DIR__.'/Fixtures/test.gif', - '../../original.gif', + $filename, 'image/gif', filesize(__DIR__.'/Fixtures/test.gif'), null ); - $this->assertEquals('original.gif', $file->getClientOriginalName()); + $this->assertEquals($sanitizedFilename, $file->getClientOriginalName()); + } + + public function getClientFilenameFixtures() + { + return array( + array('original.gif', 'original.gif'), + array('..\\..\\original.gif', 'original.gif'), + array('../../original.gif', 'original.gif'), + array('файлfile.gif', 'файлfile.gif'), + array('..\\..\\файлfile.gif', 'файлfile.gif'), + array('../../файлfile.gif', 'файлfile.gif'), + ); } public function testGetSize()