improve sanitizing of filenames to fix security issue

pqina · Sep 19, 2019 · 4adbed1 · 4adbed1
1 parent b82a6bc
commit 4adbed1
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/FilePond.class.php b/FilePond.class.php
@@ -42,7 +42,9 @@ function fetch($url) {
 
 function sanitize_filename($filename) {
     $info = pathinfo($filename);
-    return sanitize_filename_part($info['filename']) . '.' . sanitize_filename_part($info['extension']);
+    $name = sanitize_filename_part($info['filename']);
+    $extension = sanitize_filename_part($info['extension']);
+    return (strlen($name) > 0 ? $name : '_') . '.' . $extension;
 }
 
 function sanitize_filename_part($str) {
@@ -161,6 +163,7 @@ function store_transfer($path, $transfer) {
 
     // store main file if set (if not set, we expect to receive chunks in the near future)
     $files = $transfer->getFiles();
+
     if ($files === null) return;
     $file = $files[0];
     move_file($file, $path);

diff --git a/index.php b/index.php
@@ -92,10 +92,17 @@ function handle_patch_file_transfer($id) {
     }
 
     // get patch data
-    $name = $_SERVER['HTTP_UPLOAD_NAME'];
     $offset = $_SERVER['HTTP_UPLOAD_OFFSET'];
     $length = $_SERVER['HTTP_UPLOAD_LENGTH'];
 
+    // should be numeric values, else exit
+    if (!is_numeric($offset) || !is_numeric($length)) {
+        return http_response_code(400);
+    }
+
+    // get sanitized name
+    $name = FilePond\sanitize_filename($_SERVER['HTTP_UPLOAD_NAME']);
+
     // write patch file for this request
     file_put_contents($dir . '.patch.' . $offset, fopen('php://input', 'r'));