FilePathSanitizer.php

Go to the documentation of this file.

<?php
declare(strict_types = 1);
namespace ‪TYPO3\CMS\Frontend\Resource;
 
/*
 * This file is part of the TYPO3 CMS project.
 *
 * It is free software; you can redistribute it and/or modify it under
 * the terms of the GNU General Public License, either version 2
 * of the License, or any later version.
 *
 * For the full copyright and license information, please read the
 * LICENSE.txt file that was distributed with this source code.
 *
 * The TYPO3 project - inspiring people to share!
 */
 
use ‪TYPO3\CMS\Core\Core\Environment;
use ‪TYPO3\CMS\Core\Resource\Exception\FileDoesNotExistException;
use ‪TYPO3\CMS\Core\Resource\Exception\InvalidFileException;
use ‪TYPO3\CMS\Core\Resource\Exception\InvalidFileNameException;
use ‪TYPO3\CMS\Core\Resource\Exception\InvalidPathException;
use ‪TYPO3\CMS\Core\Utility\GeneralUtility;
use ‪TYPO3\CMS\Core\Utility\PathUtility;
 
class ‪FilePathSanitizer
{
    protected ‪$allowedPaths = [];
 
    public function ‪__construct()
    {
        $this->allowedPaths = [
            ‪$GLOBALS['TYPO3_CONF_VARS']['BE']['fileadminDir'],
            'uploads/',
            'typo3temp/',
            ‪PathUtility::stripPathSitePrefix(‪Environment::getBackendPath()) . '/ext/',
            ‪PathUtility::stripPathSitePrefix(‪Environment::getFrameworkBasePath()) . '/',
            ‪PathUtility::stripPathSitePrefix(‪Environment::getExtensionsPath()) . '/',
        ];
        if (!empty(‪$GLOBALS['TYPO3_CONF_VARS']['FE']['addAllowedPaths'])) {
            $paths = GeneralUtility::trimExplode(',', ‪$GLOBALS['TYPO3_CONF_VARS']['FE']['addAllowedPaths'], true);
            foreach ($paths as $path) {
                if (is_string($path)) {
                    $this->allowedPaths[] = $path;
                }
            }
        }
    }
 
    public function ‪sanitize(string $originalFileName): string
    {
        $file = trim($originalFileName);
        if (empty($file)) {
            throw new ‪InvalidFileNameException('Empty file name given', 1530169746);
        }
        if (strpos($file, '../') !== false) {
            throw new ‪InvalidPathException('File path "' . $file . '" contains illegal string "../"', 1530169814);
        }
        // if this is an URL, it can be returned directly
        $urlScheme = parse_url($file, PHP_URL_SCHEME);
        if ($urlScheme === 'https' || $urlScheme === 'http' || is_file(‪Environment::getPublicPath() . '/' . $file)) {
            return $file;
        }
 
        // this call also resolves EXT:myext/ files
        $file = GeneralUtility::getFileAbsFileName($file);
        if (!$file || is_dir($file)) {
            throw new ‪FileDoesNotExistException('File "' . $originalFileName . '" was not found', 1530169845);
        }
 
        $file = ‪PathUtility::stripPathSitePrefix($file);
 
        // Check if the found file is in the allowed paths
        foreach ($this->allowedPaths as $allowedPath) {
            if (strpos((string)$file, (string)$allowedPath, 0) === 0) {
                return $file;
            }
        }
        throw new ‪InvalidFileException('"' . $file . '" was not located in the allowed paths', 1530169955);
    }
}