The Needs Review Queue Bot β tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".
Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.
Consult the Drupal Contributor Guide β to find step-by-step guides for working with issues.
- Status changed to Needs review
almost 2 years ago 12:58am 4 February 2023 - πΈπ°Slovakia poker10
Rerolled the patch #7, as there was a recent change and .htaccess extension was added, so the patch does not applied.
- Status changed to Needs work
over 1 year ago 6:19pm 23 February 2023 - πΊπΈUnited States smustgrave
Seems like a valid improvement
Ran the test locally without the fix though
and this passed
'.phtml extension allowed with .phtml file' => ['foo.phtml', 'phtml', 'foo.phtml'],So isn't this saying I can use .phtml files?
- Status changed to Needs review
over 1 year ago 2:02am 14 March 2023 - π¨π¦Canada AlexGreen
@smustgrave, there's some code in
\Drupal\system\EventSubscriber\SecurityFileUploadEventSubscriber::sanitizeName()which looks like...if (empty($extensions) || in_array('txt', $extensions, TRUE)) { // Add .txt to potentially executable files prior to munging to help prevent // exploits. This results in a filenames like filename.php being changed to // filename.php.txt prior to munging. $filename_parts[] = $final_extension; $final_extension = 'txt'; } else { // Since .txt is not an allowed extension do not rename the file. The // file will be rejected by file_validate(). return; }... if "txt" is not an allowed extension, it won't be renamed but something down the line (i.e.:
file_validate()) will catch it and prevent it from being uploaded. See also some of the other test cases (e.g.: lines 79, 81, and 76 for PHP files).Also this code worked fine on my local, which was on 10.0.1.
So I'm putting this back to "Needs review".
- Status changed to Needs work
over 1 year ago 8:49pm 7 April 2023 - πΊπΈUnited States smustgrave
Sorry for taking a few weeks. So if the tests aren't actually checking anything then why add them?
- Status changed to Needs review
over 1 year ago 11:58pm 24 April 2023 - π¨π¦Canada AlexGreen
To demonstrate that the test in #13 works, here is a patch containing just the test. If my test is effective, this patch should fail, because it does not contain the code to protect against phtml files. I won't be posting an interdiff because this is a test only patch.
- last update
over 1 year ago Patch Failed to Apply - last update
over 1 year ago 28,479 pass, 1 fail - Status changed to RTBC
over 1 year ago 1:02am 25 April 2023 - last update
over 1 year ago 29,307 pass 35:26 34:02 Running- last update
over 1 year ago 29,369 pass - last update
over 1 year ago 29,369 pass - last update
over 1 year ago 29,374 pass - Status changed to Fixed
over 1 year ago 10:55am 4 May 2023 - π¬π§United Kingdom catch
Committed/pushed to 10.1.x and cherry picked to 10.0.x and 9.5.x, thanks!
Automatically closed - issue fixed for 2 weeks with no activity.