diff options
author | David Rothstein <drothstein@gmail.com> | 2014-11-03 10:11:56 -0500 |
---|---|---|
committer | David Rothstein <drothstein@gmail.com> | 2014-11-03 10:11:56 -0500 |
commit | c401ec33e847ec2710ef6914625ca63a3e5663b4 (patch) | |
tree | d8d4a4c29f05163ec6b94283199731ed4f39ca43 /includes/file.inc | |
parent | 0b4c3b17e2209b1804a7b6b5974e5217c3e2a87e (diff) | |
download | brdo-c401ec33e847ec2710ef6914625ca63a3e5663b4.tar.gz brdo-c401ec33e847ec2710ef6914625ca63a3e5663b4.tar.bz2 |
Issue #2112247 by sihv, mitsuroseba, dgroene, aalamaki, Dennis Walgaard, mErilainen: Fixed Valid file extensions in file names are not properly enforced when uploading files with non-lowercase names.
Diffstat (limited to 'includes/file.inc')
-rw-r--r-- | includes/file.inc | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/includes/file.inc b/includes/file.inc index fb2685659..803661f4d 100644 --- a/includes/file.inc +++ b/includes/file.inc @@ -1152,7 +1152,7 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) { // Remove any null bytes. See http://php.net/manual/security.filesystem.nullbytes.php $filename = str_replace(chr(0), '', $filename); - $whitelist = array_unique(explode(' ', trim($extensions))); + $whitelist = array_unique(explode(' ', strtolower(trim($extensions)))); // Split the filename up by periods. The first part becomes the basename // the last part the final extension. @@ -1165,7 +1165,7 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) { // of allowed extensions. foreach ($filename_parts as $filename_part) { $new_filename .= '.' . $filename_part; - if (!in_array($filename_part, $whitelist) && preg_match("/^[a-zA-Z]{2,5}\d?$/", $filename_part)) { + if (!in_array(strtolower($filename_part), $whitelist) && preg_match("/^[a-zA-Z]{2,5}\d?$/", $filename_part)) { $new_filename .= '_'; } } |