file_munge_filename
- Versions
- 6 – 7
file_munge_filename($filename, $extensions, $alerts = TRUE)
Modify a filename as needed for security purposes.
Dangerous file names will be altered; for instance, the file name "exploit.php.pps" will become "exploit.php_.pps". All extensions that are between 2 and 5 characters in length, internal to the file name, and not included in $extensions will be altered by adding an underscore. If variable 'allow_insecure_uploads' evaluates to TRUE, no alterations will be made.
Parameters
$filename File name to modify.
$extensions A space-separated list of extensions that should not be altered.
$alerts If TRUE, drupal_set_message() will be called to display a message if the file name was changed.
Return value
The potentially modified $filename.
Related topics
Code
includes/file.inc, line 818
<?php
function file_munge_filename($filename, $extensions, $alerts = TRUE) {
$original = $filename;
// Allow potentially insecure uploads for very savvy users and admin
if (!variable_get('allow_insecure_uploads', 0)) {
$whitelist = array_unique(explode(' ', trim($extensions)));
// Split the filename up by periods. The first part becomes the basename
// the last part the final extension.
$filename_parts = explode('.', $filename);
$new_filename = array_shift($filename_parts); // Remove file basename.
$final_extension = array_pop($filename_parts); // Remove final extension.
// Loop through the middle parts of the name and add an underscore to the
// end of each section that could be a file extension but isn't in the list
// of allowed extensions.
foreach ($filename_parts as $filename_part) {
$new_filename .= '.' . $filename_part;
if (!in_array($filename_part, $whitelist) && preg_match("/^[a-zA-Z]{2,5}\d?$/", $filename_part)) {
$new_filename .= '_';
}
}
$filename = $new_filename . '.' . $final_extension;
if ($alerts && $original != $filename) {
drupal_set_message(t('For security reasons, your upload has been renamed to %filename.', array('%filename' => $filename)));
}
}
return $filename;
}
?>