Coding standards
Security in ResourceSpace
Developer reference
Database
Action functions
Admin functions
Ajax functions
Annotation functions
API functions
Collections functions
Comment functions
Config functions
CSV export functions
Dash functions
Debug functions
Encryption functions
Facial recognition functions
File functions
General functions
Language functions
Log functions
Login functions
Message functions
Migration functions
Node functions
PDF functions
Plugin functions
Render functions
Reporting functions
Request functions
Research functions
Slideshow functions
Theme permission functions
User functions
Video functions
Database functions
Metadata functions
Resource functions
Search functions
Map functions
Job functions
Tab functions
Test functions

parse_filename_extension()

Description

Parse file name (can include path, although it's unnecessary) to prevent known security bypasses associated with
extensions, such as:
- Double extensions, e.g. .jpg.php
- Null bytes, e.g. .php%00.jpg, where .jpg gets truncated and .php becomes the new extension
- Using Windows (DOS) 8.3 short path feature where it's possible to replace existing files by using their shortname
(e.g. ".htaccess" can be replaced by "HTACCE~1")

Parameters

ColumnTypeDefaultDescription
$filename: string

Location

include/file_functions.php lines 564 to 601

Definition

 
function parse_filename_extension(string $filename): string
{
    $orig_use_error_exception_val $GLOBALS['use_error_exception'] ?? false;
    $GLOBALS["use_error_exception"] = true;
    try {
        $finfo = new SplFileInfo($filename);
    } catch (Throwable $t) {
        debug("[WARN] Bad file '{$filename}'. Reason: {$t->getMessage()}");
        return '';
    }
    $GLOBALS['use_error_exception'] = $orig_use_error_exception_val;

    /*
    Windows (DOS) 8.3 short paths (e.g. "HTACCE~1" = ".htaccess"). Example file info in such scenario:
    Filename is: HTACCE~1
    Path is: (note, depends if input is a file name with path)
    Path name is: HTACCE~1
    Real path is: C:\path\to\.htaccess
    */
    if (preg_match('/^[A-Z0-9]{1,6}~([A-Z0-9]?)(\.[A-Z0-9_]{1,3})?$/i'$finfo->getFilename()) === 1) {
        if ($finfo->getRealPath() !== false && basename($finfo->getRealPath()) !== $finfo->getFilename()) {
            return parse_filename_extension($finfo->getRealPath());
        } else {
            // Invalid if not a real file to avoid potential exploits
            debug("[WARN] Windows (DOS) 8.3 short path for non-existent file '{$filename}' - considered invalid");
            return '';
        }
    }

    // Invalidate if it's a hidden file without an extension (e.g .htaccess or .htpasswd) which would be incorrectly
    // picked up as an extension
    if (trim($finfo->getBasename($finfo->getExtension())) === '.') {
        debug("Hidden file '{$filename}' without an extension - considered invalid");
        return '';
    }

    return $finfo->getExtension();
}

This article was last updated 3rd April 2025 21:35 Europe/London time based on the source file dated 2nd April 2025 15:30 Europe/London time.