From c401ec33e847ec2710ef6914625ca63a3e5663b4 Mon Sep 17 00:00:00 2001 From: David Rothstein Date: Mon, 3 Nov 2014 10:11:56 -0500 Subject: Issue #2112247 by sihv, mitsuroseba, dgroene, aalamaki, Dennis Walgaard, mErilainen: Fixed Valid file extensions in file names are not properly enforced when uploading files with non-lowercase names. --- includes/file.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'includes/file.inc') diff --git a/includes/file.inc b/includes/file.inc index fb2685659..803661f4d 100644 --- a/includes/file.inc +++ b/includes/file.inc @@ -1152,7 +1152,7 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) { // Remove any null bytes. See http://php.net/manual/security.filesystem.nullbytes.php $filename = str_replace(chr(0), '', $filename); - $whitelist = array_unique(explode(' ', trim($extensions))); + $whitelist = array_unique(explode(' ', strtolower(trim($extensions)))); // Split the filename up by periods. The first part becomes the basename // the last part the final extension. @@ -1165,7 +1165,7 @@ function file_munge_filename($filename, $extensions, $alerts = TRUE) { // of allowed extensions. foreach ($filename_parts as $filename_part) { $new_filename .= '.' . $filename_part; - if (!in_array($filename_part, $whitelist) && preg_match("/^[a-zA-Z]{2,5}\d?$/", $filename_part)) { + if (!in_array(strtolower($filename_part), $whitelist) && preg_match("/^[a-zA-Z]{2,5}\d?$/", $filename_part)) { $new_filename .= '_'; } } -- cgit v1.2.3