move security check before save file

FreedomKnight · web-flow · commit 4fd33154a4c8 · 2017-09-21T17:48:37.000+08:00
diff --git a/src/controllers/UploadController.php b/src/controllers/UploadController.php
@@ -121,17 +121,21 @@ private function uploadValidator($file)
         return 'pass';
     }
 
+    protected function replaceInsecureSuffix($name)
+    {
+        return preg_replace("/\.php$/", '', $name);
+    }
+
     private function getNewName($file)
     {
         $new_filename = parent::translateFromUtf8(trim($this->_pathinfo($file->getClientOriginalName(), PATHINFO_FILENAME)));
-        $new_filename = preg_replace("/\.php$/", '', $new_filename);
         if (config('lfm.rename_file') === true) {
             $new_filename = uniqid();
         } elseif (config('lfm.alphanumeric_filename') === true) {
             $new_filename = preg_replace('/[^A-Za-z0-9\-\']/', '_', $new_filename);
         }
 
-        return $new_filename . '.' . $file->getClientOriginalExtension();
+        return $new_filename . $this->replaceInsecureSuffix('.' . $file->getClientOriginalExtension());
     }
 
     private function makeThumb($new_filename)

Original file line number	Diff line number	Diff line change
`@@ -121,17 +121,21 @@ private function uploadValidator($file)`
`121`	`121`	`return 'pass';`
`122`	`122`	`}`
`123`	`123`
	`124`	`+ protected function replaceInsecureSuffix($name)`
	`125`	`+ {`
	`126`	`+ return preg_replace("/\.php$/", '', $name);`
	`127`	`+ }`
	`128`	`+`
`124`	`129`	`private function getNewName($file)`
`125`	`130`	`{`
`126`	`131`	`$new_filename = parent::translateFromUtf8(trim($this->_pathinfo($file->getClientOriginalName(), PATHINFO_FILENAME)));`
`127`		`- $new_filename = preg_replace("/\.php$/", '', $new_filename);`
`128`	`132`	`if (config('lfm.rename_file') === true) {`
`129`	`133`	`$new_filename = uniqid();`
`130`	`134`	`} elseif (config('lfm.alphanumeric_filename') === true) {`
`131`	`135`	`$new_filename = preg_replace('/[^A-Za-z0-9\-\']/', '_', $new_filename);`
`132`	`136`	`}`
`133`	`137`
`134`		`- return $new_filename . '.' . $file->getClientOriginalExtension();`
	`138`	`+ return $new_filename . $this->replaceInsecureSuffix('.' . $file->getClientOriginalExtension());`
`135`	`139`	`}`
`136`	`140`
`137`	`141`	`private function makeThumb($new_filename)`