file_munge_filename
Definition
file_munge_filename($filename, $extensions, $alerts = TRUE)
drupal/includes/file.inc, line 601
Description
Munge the filename as needed for security purposes.
For instance the file name "exploit.php.pps" would become "exploit.php_.pps".
Parameters
$filename The name of a file to modify.
$extensions A space separated list of extensions that should not be altered.
$alerts Whether alerts (watchdog, drupal_set_message()) should be displayed.
Return value
$filename The potentially modified $filename.
Related topics
Name | Description |
|---|---|
| File interface | Common file handling functions. |
Code
function file_munge_filename($filename, $extensions, $alerts = TRUE) {
$original = $filename;
// Allow potentially insecure uploads for very savvy users and admin
if (!variable_get('allow_insecure_uploads', 0)) {
$whitelist = array_unique(explode(' ', trim($extensions)));
// Split the filename up by periods. The first part becomes the basename
// the last part the final extension.
$filename_parts = explode('.', $filename);
$new_filename = array_shift($filename_parts); // Remove file basename.
$final_extension = array_pop($filename_parts); // Remove final extension.
// Loop through the middle parts of the name and add an underscore to the
// end of each section that could be a file extension but isn't in the list
// of allowed extensions.
foreach ($filename_parts as $filename_part) {
$new_filename .= '.' . $filename_part;
if (!in_array($filename_part, $whitelist) && preg_match("/^[a-zA-Z]{2,5}\d?$/", $filename_part)) {
$new_filename .= '_';
}
}
$filename = $new_filename . '.' . $final_extension;
if ($alerts && $original != $filename) {
drupal_set_message(t('For security reasons, your upload has been renamed to %filename.', array('%filename' => $filename)));
}
}
return $filename;
}