- Issue created by @solideogloria
I'm glad that filename sanitization/transliteration is in core. However, I noticed that filenames can have leading hyphens. This could be a security risk if someone runs shell commands containing wildcards in the directory and the filename becomes an argument to the command. Certainly, there are workarounds to run the commands more securely. Still, it seems like adding an option to remove leading hyphens, or incorporating that into the transliterate function, would be helpful and could prevent files with names like "-rf" or worse from having a disastrous effect.
Trim leading hyphens from filenames, or replace them with a hyphen or the replacement character.
Active
11.0 🔥
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.