Merge pull request #5760 from nanasess/add-check-invalid-filename

[4.2] Add check invalid filename
EC-CUBE · Sep 5, 2022 · babbb9a · babbb9a
2 parents 2853db3 + 1d2c141
commit babbb9a
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 0 deletions.
diff --git a/src/Eccube/Controller/Admin/Content/FileController.php b/src/Eccube/Controller/Admin/Content/FileController.php
@@ -304,6 +304,10 @@ public function upload(Request $request)
                 if (is_dir(rtrim($nowDir, '/\\').\DIRECTORY_SEPARATOR.$filename)) {
                     throw new UnsupportedMediaTypeHttpException(trans('admin.content.file.same_name_folder_exists'));
                 }
+                // 英数字, 半角スペース, _-.() のみ許可
+                if (!preg_match('/\A[a-zA-Z0-9_\-\.\(\) ]+\Z/', $filename)) {
+                    throw new UnsupportedMediaTypeHttpException(trans('admin.content.file.folder_name_symbol_error'));
+                }
                 // phpファイルはアップロード不可
                 if ($file->getClientOriginalExtension() === 'php') {
                     throw new UnsupportedMediaTypeHttpException(trans('admin.content.file.phpfile_error'));

diff --git a/tests/Eccube/Tests/Web/Admin/Content/FileControllerTest.php b/tests/Eccube/Tests/Web/Admin/Content/FileControllerTest.php
@@ -244,6 +244,45 @@ public function testUploadIgnoreFiles()
         unlink($dot);
     }
 
+    public function testUploadInvalidFileName()
+    {
+        $quote = $this->getUserDataDir()."/../'quote'.txt";
+        touch($quote);
+
+        $quotefile = new UploadedFile(
+            realpath($quote),          // file path
+            "'quote'.txt",         // original name
+            'text/plain',        // mimeType
+            null,               // error
+            true                // test mode
+        );
+
+        $crawler = $this->client->request(
+            'POST',
+            $this->generateUrl('admin_content_file'),
+            [
+                'form' => [
+                    '_token' => 'dummy',
+                    'create_file' => '',
+                    'file' => [$quotefile],
+                ],
+                'mode' => 'upload',
+                'now_dir' => '/',
+            ],
+            ['form' => ['file' => [$quotefile]]]
+        );
+
+        $messages = $crawler->filter('p.errormsg')->each(function (Crawler $node) {
+            return $node->text();
+        });
+
+        $this->assertTrue($this->client->getResponse()->isSuccessful());
+        $this->assertContains('使用できない文字が含まれています。', $messages);
+        $this->assertFalse(file_exists($this->getUserDataDir()."/'quote'.txt"));
+
+        unlink($quote);
+    }
+
     protected function getUserDataDir()
     {
         return __DIR__.'/../../../../../../html/user_data';