‪TYPO3CMS  9.5
FilePathSanitizer.php
Go to the documentation of this file.
1 <?php
2 declare(strict_types = 1);
4 
5 /*
6  * This file is part of the TYPO3 CMS project.
7  *
8  * It is free software; you can redistribute it and/or modify it under
9  * the terms of the GNU General Public License, either version 2
10  * of the License, or any later version.
11  *
12  * For the full copyright and license information, please read the
13  * LICENSE.txt file that was distributed with this source code.
14  *
15  * The TYPO3 project - inspiring people to share!
16  */
17 
25 
37 {
45  protected ‪$allowedPaths = [];
46 
50  public function ‪__construct()
51  {
52  $this->allowedPaths = [
53  ‪$GLOBALS['TYPO3_CONF_VARS']['BE']['fileadminDir'],
54  'uploads/',
55  'typo3temp/',
59  ];
60  if (!empty(‪$GLOBALS['TYPO3_CONF_VARS']['FE']['addAllowedPaths'])) {
61  $paths = GeneralUtility::trimExplode(',', ‪$GLOBALS['TYPO3_CONF_VARS']['FE']['addAllowedPaths'], true);
62  foreach ($paths as $path) {
63  if (is_string($path)) {
64  $this->allowedPaths[] = $path;
65  }
66  }
67  }
68  }
69 
76  public function ‪sanitize(string $originalFileName): string
77  {
78  $file = trim($originalFileName);
79  if (empty($file)) {
80  throw new ‪InvalidFileNameException('Empty file name given', 1530169746);
81  }
82  if (strpos($file, '../') !== false) {
83  throw new ‪InvalidPathException('File path "' . $file . '" contains illegal string "../"', 1530169814);
84  }
85  // if this is an URL, it can be returned directly
86  $urlScheme = parse_url($file, PHP_URL_SCHEME);
87  if ($urlScheme === 'https' || $urlScheme === 'http' || is_file(‪Environment::getPublicPath() . '/' . $file)) {
88  return $file;
89  }
90 
91  // this call also resolves EXT:myext/ files
92  $file = GeneralUtility::getFileAbsFileName($file);
93  if (!$file || is_dir($file)) {
94  throw new ‪FileDoesNotExistException('File "' . $originalFileName . '" was not found', 1530169845);
95  }
96 
98 
99  // Check if the found file is in the allowed paths
100  foreach ($this->allowedPaths as $allowedPath) {
101  if (strpos((string)$file, (string)$allowedPath, 0) === 0) {
102  return $file;
103  }
104  }
105  throw new ‪InvalidFileException('"' . $file . '" was not located in the allowed paths', 1530169955);
106  }
107 }
‪TYPO3\CMS\Core\Utility\PathUtility
Definition: PathUtility.php:23
‪TYPO3\CMS\Core\Core\Environment\getPublicPath
‪static string getPublicPath()
Definition: Environment.php:153
‪TYPO3\CMS\Frontend\Resource
Definition: FileCollector.php:2
‪TYPO3\CMS\Core\Utility\PathUtility\stripPathSitePrefix
‪static string stripPathSitePrefix($path)
Definition: PathUtility.php:371
‪TYPO3\CMS\Frontend\Resource\FilePathSanitizer
Definition: FilePathSanitizer.php:37
‪TYPO3\CMS\Core\Resource\Exception\FileDoesNotExistException
Definition: FileDoesNotExistException.php:21
‪TYPO3\CMS\Frontend\Resource\FilePathSanitizer\sanitize
‪string sanitize(string $originalFileName)
Definition: FilePathSanitizer.php:75
‪TYPO3\CMS\Core\Core\Environment\getFrameworkBasePath
‪static string getFrameworkBasePath()
Definition: Environment.php:234
‪TYPO3\CMS\Frontend\Resource\FilePathSanitizer\$allowedPaths
‪array $allowedPaths
Definition: FilePathSanitizer.php:44
‪TYPO3\CMS\Frontend\Resource\FilePathSanitizer\__construct
‪__construct()
Definition: FilePathSanitizer.php:49
‪TYPO3\CMS\Core\Resource\Exception\InvalidFileException
Definition: InvalidFileException.php:21
‪TYPO3\CMS\Core\Core\Environment\getBackendPath
‪static string getBackendPath()
Definition: Environment.php:223
‪$GLOBALS
‪$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['adminpanel']['modules']
Definition: ext_localconf.php:5
‪TYPO3\CMS\Core\Core\Environment
Definition: Environment.php:39
‪TYPO3\CMS\Core\Utility\GeneralUtility
Definition: GeneralUtility.php:45
‪TYPO3\CMS\Core\Resource\Exception\InvalidPathException
Definition: InvalidPathException.php:21
‪TYPO3\CMS\Core\Resource\Exception\InvalidFileNameException
Definition: InvalidFileNameException.php:21
‪TYPO3\CMS\Core\Core\Environment\getExtensionsPath
‪static string getExtensionsPath()
Definition: Environment.php:245