Make filename safe adapt PR jmcameron#23

make feature optional
JLTRY · Dec 31, 2024 · a8c9c15 · a8c9c15
1 parent 2482260
commit a8c9c15
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 1 deletion.
diff --git a/attachments_component/admin/config.xml b/attachments_component/admin/config.xml
@@ -191,6 +191,12 @@
            label="ATTACH_FORBIDDEN_FILENAME_CHARACTERS" size="40"
            description="ATTACH_FORBIDDEN_FILENAME_CHARACTERS_DESCRIPTION">
     </field>
+    <field name="sanitize_filename_characters"  type="radio" default="0" layout="joomla.form.field.radio.switcher"
+           label="ATTACH_SANITIZE_FILENAME"
+           description="ATTACH_SANITIZE_FILENAME_DESCRIPTION">
+      <option value="0">JNO</option>
+      <option value="1">JYES</option>
+    </field>
     <field name="attachments_table_style" type="text" default="attachmentsList"
            label="ATTACH_CSS_STYLE_FOR_ATTACHMENTS_TABLES" size="40"
            description="ATTACH_CSS_STYLE_FOR_ATTACHMENTS_TABLES_DESCRIPTION">

diff --git a/attachments_component/admin/language/en-GB/en-GB.com_attachments.ini b/attachments_component/admin/language/en-GB/en-GB.com_attachments.ini
@@ -191,6 +191,8 @@ ATTACH_FILTER="Filter"
 ATTACH_FILTER_ENTITY_TOOLTIP="Use this option to limit the list of attachments to parents of a particular type."
 ATTACH_FORBIDDEN_FILENAME_CHARACTERS="Characters forbidden in uploaded filenames"
 ATTACH_FORBIDDEN_FILENAME_CHARACTERS_DESCRIPTION="Filenames containing these characters will not be allowed to be uploaded.  These characters are problematic in the URL presented to the user for file attachments in 'non-secure' mode so they are forbidden.  These characters are generally not an issue when using 'secure' mode since the filename is not used as part of the URL presented to the user."
+ATTACH_SANITIZE_FILENAME="Sanitize FileName"
+ATTACH_FORBIDDEN_FILENAME_CHARACTERS_DESCRIPTION="Sanitize FileName : removes special characters "
 ATTACH_FORMAT_STRING_FOR_DATES="Format string for dates"
 ATTACH_FORMAT_STRING_FOR_DATES_DESCRIPTION="The format string for the creation and modification dates.  Enter a format string like ones used by the Joomla JDate class format() function (which is based on the PHP class DateTime::format function).  Search the web with 'PHP DateTime' for examples.  Note that JDate handles translation of month/day names as necessary.  The default format string (Y-m-d H:M) gives dates with 24-hour time like 2013-01-05 16:21."
 ATTACH_FOR_PARENT_S_COLON_S="For %s: <i>'%s'</i>"

diff --git a/attachments_component/admin/language/fr-FR/fr-FR.com_attachments.ini b/attachments_component/admin/language/fr-FR/fr-FR.com_attachments.ini
@@ -190,6 +190,8 @@ ATTACH_FILTER="Filtre"
 ATTACH_FILTER_ENTITY_TOOLTIP=" Utilisez cette option pour limiter la liste des pièces jointes aux parents d'un type en particulier."
 ATTACH_FORBIDDEN_FILENAME_CHARACTERS="Caractères interdits dans les noms des fichiers à envoyer"
 ATTACH_FORBIDDEN_FILENAME_CHARACTERS_DESCRIPTION="Les noms de fichiers contenant ces caractères ne pourront pas être envoyés. Ces caractères posent problème dans l'URL présentée à l'utilisateur dans le mode 'non sécurisé', ils sont donc interdits. Ces caractères ne sont généralement pas un problème quand vous utilisez le mode 'sécurisé'."
+ATTACH_SANITIZE_FILENAME="Nettoie les noms des fichiers"
+ATTACH_FORBIDDEN_FILENAME_CHARACTERS_DESCRIPTION="Nettoie les noms des fichiers : enlève les caractèrer speciaux"
 ATTACH_FORMAT_STRING_FOR_DATES="Format de chaine pour les dates"
 ATTACH_FORMAT_STRING_FOR_DATES_DESCRIPTION="Format de chaine pour la création et la modification des dates. Entrez un format de chaine comme celui utilisé par la Classe de fonction format() Joomla  JDate (qui est basée sur la classe de fonction PHP DateTime::format). Rechercher sur le web avec 'PHP DateTime' par exemple. Notez que JDate gère la traduction des Jours/mois quand c'est nécessaire. La chaine de format (Y-m-d H:M) renvoie par défaut les dates en format 24h comme dans 2013-01-05 16:21."
 ATTACH_FOR_PARENT_S_COLON_S="Pour %s: <i>'%s'</i>"

diff --git a/attachments_component/site/src/Helper/AttachmentsHelper.php b/attachments_component/site/src/Helper/AttachmentsHelper.php
@@ -437,7 +437,13 @@ public static function upload_file(&$attachment, &$parent, $attachment_id=false,
 
 		// Get the new filename
 		// Make filename safe
-		$filename = File::makeSafe(strtolower($_FILES['upload']['name']));
+		$filename_safe = $params->get('sanitize_filename_characters', false);
+		if ( $filename_safe ) {
+			$filename = File::makeSafe(strtolower($_FILES['upload']['name']));
+			} else {
+			// Trim of any trailing period (to avoid exploits)
+			$filename = rtrim(StringHelper::str_ireplace("\'", "'", $_FILES['upload']['name']), '.');
+			}
 		$ftype = $_FILES['upload']['type'];
 
 		// Check the file size