Filename sanitization optimized to remove any leftover dot prefix

Webklex · Webklex · commit 861557cc7519 · 2025-01-17T04:38:11.000+01:00
diff --git a/src/Attachment.php b/src/Attachment.php
@@ -324,13 +324,17 @@ public function decodeName(?string $name): string {
             }
 
             // sanitize $name
-            // order of '..' is important
             $replaces = [
                 '/\\\\/' => '',
                 '/[\/\0:]+/' => '',
                 '/\.+/' => '.',
             ];
-            return preg_replace(array_keys($replaces), array_values($replaces), $name);
+            $name_starts_with_dots = str_starts_with($name, '..');
+            $name = preg_replace(array_keys($replaces), array_values($replaces), $name);
+            if($name_starts_with_dots) {
+                return substr($name, 1);
+            }
+            return $name;
         }
         return "";
     }
diff --git a/tests/AttachmentTest.php b/tests/AttachmentTest.php
@@ -28,7 +28,7 @@ public function testDecodeName(string $input, string $output): void
     public function decodeNameDataProvider(): array
     {
         return [
-            ['../../../../../../../../../../../var/www/shell.php', '.varwwwshell.php'],
+            ['../../../../../../../../../../../var/www/shell.php', 'varwwwshell.php'],
             ['test..xml', 'test.xml'],
             [chr(0), ''],
             ['C:\\file.txt', 'Cfile.txt'],

Original file line number	Diff line number	Diff line change
`@@ -324,13 +324,17 @@ public function decodeName(?string $name): string {`
`324`	`324`	`}`
`325`	`325`
`326`	`326`	`// sanitize $name`
`327`		`- // order of '..' is important`
`328`	`327`	`$replaces = [`
`329`	`328`	`'/\\\\/' => '',`
`330`	`329`	`'/[\/\0:]+/' => '',`
`331`	`330`	`'/\.+/' => '.',`
`332`	`331`	`];`
`333`		`- return preg_replace(array_keys($replaces), array_values($replaces), $name);`
	`332`	`+ $name_starts_with_dots = str_starts_with($name, '..');`
	`333`	`+ $name = preg_replace(array_keys($replaces), array_values($replaces), $name);`
	`334`	`+ if($name_starts_with_dots) {`
	`335`	`+ return substr($name, 1);`
	`336`	`+ }`
	`337`	`+ return $name;`
`334`	`338`	`}`
`335`	`339`	`return "";`
`336`	`340`	`}`
Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ public function testDecodeName(string $input, string $output): void`
`28`	`28`	`public function decodeNameDataProvider(): array`
`29`	`29`	`{`
`30`	`30`	`return [`
`31`		`- ['../../../../../../../../../../../var/www/shell.php', '.varwwwshell.php'],`
	`31`	`+ ['../../../../../../../../../../../var/www/shell.php', 'varwwwshell.php'],`
`32`	`32`	`['test..xml', 'test.xml'],`
`33`	`33`	`[chr(0), ''],`
`34`	`34`	`['C:\\file.txt', 'Cfile.txt'],`