Item13697: Prevent attach of unsupported filename

If the Store is not utf-8, then we have to ensure that any attachment filename is supported by the Store encoding. Unfortunately this adds a string. Partial fix ... need to do the same thing for Topic and Web names.
foswiki · Sep 11, 2015 · 8366b8a · 8366b8a
1 parent 24a5f4d
commit 8366b8a
Show file tree

Hide file tree

Showing 3 changed files with 94 additions and 0 deletions.
diff --git a/UnitTestContrib/test/unit/UploadScriptTests.pm b/UnitTestContrib/test/unit/UploadScriptTests.pm
@@ -1,6 +1,7 @@
 package UploadScriptTests;
 use strict;
 use warnings;
+use utf8;
 
 use FoswikiFnTestCase;
 our @ISA = qw( FoswikiFnTestCase );
@@ -259,6 +260,68 @@ sub test_illegal_upload {
         $this->assert_str_equals( $goodfilename,         $e->{params}[1] );
         $this->assert_str_equals( "upload_name_changed", $e->{def} );
     };
+}
+
+sub test_unsupported_characters {
+    my $this = shift;
+    local $/ = undef;
+    my $data = 'asdfasdf';
+    $Foswiki::cfg{Store}{Encoding} = 'iso-8859-1';
+    my $badfilename = 'AśčÁŠŤśěž.txt';
+    try {
+        $this->do_upload(
+            $badfilename,
+            $data,
+            undef,
+            hidefile         => 0,
+            filecomment      => 'Elucidate the goose',
+            createlink       => 0,
+            changeproperties => 0
+        );
+        $this->assert(0);
+    }
+    catch Foswiki::OopsException with {
+        my $e = shift;
+        $this->assert_str_equals( $badfilename,           $e->{params}[0] );
+        $this->assert_str_equals( "unsupported_filename", $e->{def} );
+    };
+
+    return;
+}
+
+sub test_supported_nonascii {
+    my $this = shift;
+    local $/ = undef;
+    my $data = 'asdfasdf';
+    $Foswiki::cfg{Store}{Encoding} = 'iso-8859-1';
+    my $filename = '¢£é.txt';
+    my $isoname  = "\xa2\xa3\xe9.txt";
+    my $result   = $this->do_upload(
+        $filename,
+        $data,
+        undef,
+        hidefile         => 0,
+        filecomment      => 'Elucidate the goose',
+        createlink       => 0,
+        changeproperties => 0
+    );
+    $this->assert_matches( qr/^Status: 302/ms, $result );
+    $this->assert(
+        open(
+            my $F,
+            '<',
+"$Foswiki::cfg{PubDir}/$this->{test_web}/$this->{test_topic}/$isoname"
+        )
+    );
+    $this->assert_str_equals( "asdfasdf", <$F> );
+    $this->assert( close($F) );
+    my ( $meta, $text ) =
+      Foswiki::Func::readTopic( $this->{test_web}, $this->{test_topic} );
+
+    # Check the meta
+    my $at = $meta->get( 'FILEATTACHMENT', $filename );
+    $this->assert($at);
+    $this->assert_str_equals( 'Elucidate the goose', $at->{comment} );
 
     return;
 }

diff --git a/core/lib/Foswiki/Sandbox.pm b/core/lib/Foswiki/Sandbox.pm
@@ -32,6 +32,7 @@ use strict;
 use warnings;
 use Assert;
 use Error qw( :try );
+use Encode;
 
 use File::Spec ();
 use File::Temp ();
@@ -312,6 +313,31 @@ sub sanitizeAttachmentName {
 
     my $origName = $fileName;
 
+    # Check that on non-utf8 systems, the requested filename can be supported
+    # by the store encoding.  If not supported, throw an error, rather than
+    # attempting to scrub it to a usable name.
+    if (   $Foswiki::cfg{Store}{Encoding}
+        && $Foswiki::cfg{Store}{Encoding} ne 'utf-8'
+        && $fileName =~ m/[^[:ascii:]]+/ )
+    {
+        try {
+            my $encoded =
+              Encode::encode( $Foswiki::cfg{Store}{Encoding} || 'utf-8',
+                $fileName, Encode::FB_CROAK );
+            $fileName =
+              $origName;    # Restore the original name, encode consumes it.
+        }
+        catch Error with {
+            throw Foswiki::OopsException(
+                'attention',
+                def    => 'unsupported_filename',
+                params => [
+                    ( "$fileName", $Foswiki::cfg{Store}{Encoding} || 'utf-8' )
+                ]
+            );
+        };
+    }
+
     # Change spaces to underscore
     $fileName =~ s/ /_/g;
 

diff --git a/core/templates/messages.tmpl b/core/templates/messages.tmpl
@@ -248,6 +248,11 @@ registermessages.tmpl
 %TMPL:P{"oktopicaction"}%
 %TMPL:END%
 %{==============================================================================}%
+%TMPL:DEF{"unsupported_filename"}%
+---+++ %MAKETEXT{"The filename you are attempting to upload ([_1]) contains characters not supported by the configured encoding ([_2])." args="<code>%PARAM1%</code>, <code>%PARAM2%</code>"}%
+%MAKETEXT{"Please go back in your browser and upload using a different filename."}%
+%TMPL:END%
+%{==============================================================================}%
 %TMPL:DEF{"zero_size_upload"}%
 ---+++ %MAKETEXT{"Either you did not specify a file name, or the file you are trying to upload [_1] has no content. You may not upload an empty file." args="<code>%PARAM1%</code>"}%
 %MAKETEXT{"Please go back in your browser and check again."}%