From 8fe3f0c35f2b8608e7f0ef2bc3964e13403ac2c2 Mon Sep 17 00:00:00 2001
From: Matias Griese <matias@trilbymedia.com>
Date: Thu, 4 Oct 2018 14:53:44 +0300
Subject: [PATCH] FlexMediaTrait: Added checks for bad filenames

---
 .../Framework/Flex/Traits/FlexMediaTrait.php  | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/system/src/Grav/Framework/Flex/Traits/FlexMediaTrait.php b/system/src/Grav/Framework/Flex/Traits/FlexMediaTrait.php
index 26f6d40a4..55e38a555 100644
--- a/system/src/Grav/Framework/Flex/Traits/FlexMediaTrait.php
+++ b/system/src/Grav/Framework/Flex/Traits/FlexMediaTrait.php
@@ -12,6 +12,7 @@ namespace Grav\Framework\Flex\Traits;
 use Grav\Common\Config\Config;
 use Grav\Common\Grav;
 use Grav\Common\Media\Traits\MediaTrait;
+use Grav\Common\Utils;
 use Psr\Http\Message\UploadedFileInterface;
 use RocketTheme\Toolbox\ResourceLocator\UniformResourceLocator;
 use RuntimeException;
@@ -23,7 +24,7 @@ trait FlexMediaTrait
 {
     use MediaTrait;
 
-    public function uploadMediaFile(UploadedFileInterface $uploadedFile) : void
+    public function uploadMediaFile(UploadedFileInterface $uploadedFile, string $filename = null) : void
     {
         $grav = Grav::instance();
         $language = $grav['language'];
@@ -42,6 +43,14 @@ trait FlexMediaTrait
                 throw new RuntimeException($language->translate('PLUGIN_ADMIN.UNKNOWN_ERRORS'), 400);
         }
 
+        if (!$filename) {
+            $filename = (string)$uploadedFile->getClientFilename();
+        }
+
+        if (!Utils::checkFilename($filename)) {
+            throw new RuntimeException(sprintf($language->translate('PLUGIN_ADMIN.FILEUPLOAD_UNABLE_TO_UPLOAD'), $filename, 'Bad filename'), 400);
+        }
+
         /** @var Config $config */
         $config = $grav['config'];
         $grav_limit = (int) $config->get('system.media.upload_limit', 0);
@@ -51,9 +60,7 @@ trait FlexMediaTrait
         }
 
         // Check the file extension.
-        $filename = $uploadedFile->getClientFilename();
-        $fileParts = pathinfo($filename);
-        $extension = isset($fileParts['extension']) ? strtolower($fileParts['extension']) : '';
+        $extension = strtolower(pathinfo($filename, PATHINFO_EXTENSION));
 
         // If not a supported type, return
         if (!$extension || !$config->get("media.types.{$extension}")) {
@@ -85,6 +92,10 @@ trait FlexMediaTrait
         $grav = Grav::instance();
         $language = $grav['language'];
 
+        if (!Utils::checkFilename($filename)) {
+            throw new RuntimeException($language->translate('PLUGIN_ADMIN.FILE_COULD_NOT_BE_DELETED') . ': Bad filename: ' . $filename, 400);
+        }
+
         $media = $this->getMedia();
 
         /** @var UniformResourceLocator $locator */