‪TYPO3CMS  10.4
FilePathSanitizer.php
Go to the documentation of this file.
1 <?php
2 
3 declare(strict_types=1);
4 
5 /*
6  * This file is part of the TYPO3 CMS project.
7  *
8  * It is free software; you can redistribute it and/or modify it under
9  * the terms of the GNU General Public License, either version 2
10  * of the License, or any later version.
11  *
12  * For the full copyright and license information, please read the
13  * LICENSE.txt file that was distributed with this source code.
14  *
15  * The TYPO3 project - inspiring people to share!
16  */
17 
19 
27 
39 {
47  protected ‪$allowedPaths = [];
48 
52  public function ‪__construct()
53  {
54  $this->allowedPaths = [
55  ‪$GLOBALS['TYPO3_CONF_VARS']['BE']['fileadminDir'],
56  'uploads/',
57  'typo3temp/',
61  ];
62  if (!empty(‪$GLOBALS['TYPO3_CONF_VARS']['FE']['addAllowedPaths'])) {
63  $paths = ‪GeneralUtility::trimExplode(',', ‪$GLOBALS['TYPO3_CONF_VARS']['FE']['addAllowedPaths'], true);
64  foreach ($paths as $path) {
65  if (is_string($path)) {
66  $this->allowedPaths[] = $path;
67  }
68  }
69  }
70  }
71 
78  public function ‪sanitize(string $originalFileName): string
79  {
80  $file = trim($originalFileName);
81  if (empty($file)) {
82  throw new ‪InvalidFileNameException('Empty file name given', 1530169746);
83  }
84  if (strpos($file, '../') !== false) {
85  throw new ‪InvalidPathException('File path "' . $file . '" contains illegal string "../"', 1530169814);
86  }
87  // if this is an URL, it can be returned directly
88  $urlScheme = parse_url($file, PHP_URL_SCHEME);
89  if ($urlScheme === 'https' || $urlScheme === 'http' || is_file(‪Environment::getPublicPath() . '/' . $file)) {
90  return $file;
91  }
92 
93  // this call also resolves EXT:myext/ files
94  $file = GeneralUtility::getFileAbsFileName($file);
95  if (!$file || is_dir($file)) {
96  throw new ‪FileDoesNotExistException('File "' . $originalFileName . '" was not found', 1530169845);
97  }
98 
100 
101  // Check if the found file is in the allowed paths
102  foreach ($this->allowedPaths as $allowedPath) {
103  if (strpos((string)$file, (string)$allowedPath, 0) === 0) {
104  return $file;
105  }
106  }
107  throw new ‪InvalidFileException('"' . $file . '" was not located in the allowed paths', 1530169955);
108  }
109 }
‪TYPO3\CMS\Core\Utility\PathUtility
Definition: PathUtility.php:24
‪TYPO3\CMS\Core\Core\Environment\getPublicPath
‪static string getPublicPath()
Definition: Environment.php:180
‪TYPO3\CMS\Frontend\Resource
Definition: FileCollector.php:16
‪TYPO3\CMS\Core\Utility\PathUtility\stripPathSitePrefix
‪static string stripPathSitePrefix($path)
Definition: PathUtility.php:372
‪TYPO3\CMS\Frontend\Resource\FilePathSanitizer
Definition: FilePathSanitizer.php:39
‪TYPO3\CMS\Core\Resource\Exception\FileDoesNotExistException
Definition: FileDoesNotExistException.php:22
‪TYPO3\CMS\Frontend\Resource\FilePathSanitizer\sanitize
‪string sanitize(string $originalFileName)
Definition: FilePathSanitizer.php:77
‪TYPO3\CMS\Core\Core\Environment\getFrameworkBasePath
‪static string getFrameworkBasePath()
Definition: Environment.php:261
‪TYPO3\CMS\Frontend\Resource\FilePathSanitizer\$allowedPaths
‪array $allowedPaths
Definition: FilePathSanitizer.php:46
‪TYPO3\CMS\Frontend\Resource\FilePathSanitizer\__construct
‪__construct()
Definition: FilePathSanitizer.php:51
‪TYPO3\CMS\Core\Resource\Exception\InvalidFileException
Definition: InvalidFileException.php:24
‪TYPO3\CMS\Core\Core\Environment\getBackendPath
‪static string getBackendPath()
Definition: Environment.php:250
‪TYPO3\CMS\Core\Utility\GeneralUtility\trimExplode
‪static string[] trimExplode($delim, $string, $removeEmptyValues=false, $limit=0)
Definition: GeneralUtility.php:1059
‪$GLOBALS
‪$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['adminpanel']['modules']
Definition: ext_localconf.php:5
‪TYPO3\CMS\Core\Core\Environment
Definition: Environment.php:40
‪TYPO3\CMS\Core\Utility\GeneralUtility
Definition: GeneralUtility.php:46
‪TYPO3\CMS\Core\Resource\Exception\InvalidPathException
Definition: InvalidPathException.php:24
‪TYPO3\CMS\Core\Resource\Exception\InvalidFileNameException
Definition: InvalidFileNameException.php:24
‪TYPO3\CMS\Core\Core\Environment\getExtensionsPath
‪static string getExtensionsPath()
Definition: Environment.php:271