9.5/_file_path_sanitizer_8php_source.html

<?php

declare(strict_types = 1);

namespace ‪TYPO3\CMS\Frontend\Resource;


/*

 * This file is part of the TYPO3 CMS project.

 *

 * It is free software; you can redistribute it and/or modify it under

 * the terms of the GNU General Public License, either version 2

 * of the License, or any later version.

 *

 * For the full copyright and license information, please read the

 * LICENSE.txt file that was distributed with this source code.

 *

 * The TYPO3 project - inspiring people to share!

 */


use ‪TYPO3\CMS\Core\Core\Environment;

use ‪TYPO3\CMS\Core\Resource\Exception\FileDoesNotExistException;

use ‪TYPO3\CMS\Core\Resource\Exception\InvalidFileException;

use ‪TYPO3\CMS\Core\Resource\Exception\InvalidFileNameException;

use ‪TYPO3\CMS\Core\Resource\Exception\InvalidPathException;

use ‪TYPO3\CMS\Core\Utility\GeneralUtility;

use ‪TYPO3\CMS\Core\Utility\PathUtility;


class ‪FilePathSanitizer

{

    protected ‪$allowedPaths = [];


    public function ‪__construct()

    {

        $this->allowedPaths = [

            ‪$GLOBALS['TYPO3_CONF_VARS']['BE']['fileadminDir'],

            'uploads/',

            'typo3temp/',

            ‪PathUtility::stripPathSitePrefix(‪Environment::getBackendPath()) . '/ext/',

            ‪PathUtility::stripPathSitePrefix(‪Environment::getFrameworkBasePath()) . '/',

            ‪PathUtility::stripPathSitePrefix(‪Environment::getExtensionsPath()) . '/',

        ];

        if (!empty(‪$GLOBALS['TYPO3_CONF_VARS']['FE']['addAllowedPaths'])) {

            $paths = GeneralUtility::trimExplode(',', ‪$GLOBALS['TYPO3_CONF_VARS']['FE']['addAllowedPaths'], true);

            foreach ($paths as $path) {

                if (is_string($path)) {

                    $this->allowedPaths[] = $path;

                }

            }

        }

    }


    public function ‪sanitize(string $originalFileName): string

    {

        $file = trim($originalFileName);

        if (empty($file)) {

            throw new ‪InvalidFileNameException('Empty file name given', 1530169746);

        }

        if (strpos($file, '../') !== false) {

            throw new ‪InvalidPathException('File path "' . $file . '" contains illegal string "../"', 1530169814);

        }

        // if this is an URL, it can be returned directly

        $urlScheme = parse_url($file, PHP_URL_SCHEME);

        if ($urlScheme === 'https' || $urlScheme === 'http' || is_file(‪Environment::getPublicPath() . '/' . $file)) {

            return $file;

        }


        // this call also resolves EXT:myext/ files

        $file = GeneralUtility::getFileAbsFileName($file);

        if (!$file || is_dir($file)) {

            throw new ‪FileDoesNotExistException('File "' . $originalFileName . '" was not found', 1530169845);

        }


        $file = ‪PathUtility::stripPathSitePrefix($file);


        // Check if the found file is in the allowed paths

        foreach ($this->allowedPaths as $allowedPath) {

            if (strpos((string)$file, (string)$allowedPath, 0) === 0) {

                return $file;

            }

        }

        throw new ‪InvalidFileException('"' . $file . '" was not located in the allowed paths', 1530169955);

    }

}