HomeAboutfile_munge_filename

file_munge_filename

Versions
mediamosa-21
file_munge_filename($filename, $extensions, $alerts = TRUE)

Modify a filename as needed for security purposes.

Dangerous file names will be altered; for instance, the file name "exploit.php.pps" will become "exploit.php_.pps". All extensions that are between 2 and 5 characters in length, internal to the file name, and not included in $extensions will be altered by adding an underscore. If variable 'allow_insecure_uploads' evaluates to TRUE, no alterations will be made.

Parameters

$filename File name to modify.

$extensions A space-separated list of extensions that should not be altered.

$alerts If TRUE, drupal_set_message() will be called to display a message if the file name was changed.

Return value

The potentially modified $filename.

Related topics

File interface
Common file handling functions.

▸ 1 function calls file_munge_filename()

▾ 1 function calls file_munge_filename()

file_save_upload in includes/file.inc
Saves a file upload to a new location.

Code

includes/file.inc, line 846

<?php
function file_munge_filename($filename, $extensions, $alerts = TRUE) {
  $original = $filename;

  // Allow potentially insecure uploads for very savvy users and admin
  if (!variable_get('allow_insecure_uploads', 0)) {
    $whitelist = array_unique(explode(' ', trim($extensions)));

    // Split the filename up by periods. The first part becomes the basename
    // the last part the final extension.
    $filename_parts = explode('.', $filename);
    $new_filename = array_shift($filename_parts); // Remove file basename.
    $final_extension = array_pop($filename_parts); // Remove final extension.

    // Loop through the middle parts of the name and add an underscore to the
    // end of each section that could be a file extension but isn't in the list
    // of allowed extensions.
    foreach ($filename_parts as $filename_part) {
      $new_filename .= '.' . $filename_part;
      if (!in_array($filename_part, $whitelist) && preg_match("/^[a-zA-Z]{2,5}\d?$/", $filename_part)) {
        $new_filename .= '_';
      }
    }
    $filename = $new_filename . '.' . $final_extension;

    if ($alerts && $original != $filename) {
      drupal_set_message(t('For security reasons, your upload has been renamed to %filename.', array('%filename' => $filename)));
    }
  }

  return $filename;
}
?>