FilenameSanitizerImpl.php

Go to the documentation of this file.

<?php
declare(strict_types=1);

namespace ILIAS\Filesystem\Security\Sanitizing;

use ilFileUtils;
use ILIAS\Filesystem\Util;

final class FilenameSanitizerImpl implements FilenameSanitizer
{

    private $whitelist;

    public function __construct()
    {
        $this->whitelist = ilFileUtils::getValidExtensions();

        // the secure file ending must be valid, therefore add it if it got removed from the white list.
        if (!in_array(FilenameSanitizer::CLEAN_FILE_SUFFIX, $this->whitelist, true)) {
            array_push($this->whitelist, FilenameSanitizer::CLEAN_FILE_SUFFIX);
        }
    }

    public function isClean(string $filename) : bool
    {
        $suffix = $this->extractFileSuffix($filename);
        if (preg_match('/^ph(p[3457]?|t|tml|ar)$/i', $suffix)) {
            return false;
        }

        return in_array($suffix, $this->whitelist, true);
    }

    public function sanitize(string $filename) : string
    {
        $filename = Util::sanitizeFileName($filename);

        if ($this->isClean($filename)) {
            return $filename;
        }

        $pathInfo = pathinfo($filename);
        $basename = $pathInfo['basename'];
        $parentPath = $pathInfo['dirname'];

        $filename = str_replace('.', '', $basename);
        $filename .= "." . FilenameSanitizer::CLEAN_FILE_SUFFIX;

        // there is no parent
        if ($parentPath === '') {
            return $filename;
        }

        return "$parentPath/$filename";
    }

    private function extractFileSuffix($filename)
    {
        return strtolower(pathinfo($filename, PATHINFO_EXTENSION));
    }
}