FileUpload::getSanitizedName() changes the extension only for image f…

…iles [Closes #239]
nette · Nov 4, 2024 · 4be9c32 · 4be9c32
1 parent 7f70020
commit 4be9c32
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 11 deletions.
diff --git a/src/Http/FileUpload.php b/src/Http/FileUpload.php
@@ -80,7 +80,7 @@ public function getUntrustedName(): string
 
 	/**
 	 * Returns the sanitized file name. The resulting name contains only ASCII characters [a-zA-Z0-9.-].
-	 * If the name does not contain such characters, it returns 'unknown'. If the file is JPEG, PNG, GIF, or WebP image,
+	 * If the name does not contain such characters, it returns 'unknown'. If the file is an image supported by PHP,
 	 * it returns the correct file extension. Do not blindly trust the value returned by this method.
 	 */
 	public function getSanitizedName(): string
@@ -89,9 +89,9 @@ public function getSanitizedName(): string
 		$name = str_replace(['-.', '.-'], '.', $name);
 		$name = trim($name, '.-');
 		$name = $name === '' ? 'unknown' : $name;
-		if ($ext = $this->getSuggestedExtension()) {
+		if ($this->isImage()) {
 			$name = preg_replace('#\.[^.]+$#D', '', $name);
-			$name .= '.' . $ext;
+			$name .= '.' . $this->getSuggestedExtension();
 		}
 
 		return $name;

diff --git a/tests/Http/FileUpload.getSanitizedName.phpt b/tests/Http/FileUpload.getSanitizedName.phpt
@@ -12,10 +12,13 @@ use Tester\Assert;
 require __DIR__ . '/../bootstrap.php';
 
 
-function getSanitizedName(string $name, ?string $ext = null): string
+function getSanitizedName(string $name, ?string $type = null): string
 {
 	$file = new FileUpload(['name' => $name, 'size' => 0, 'tmp_name' => '', 'error' => UPLOAD_ERR_NO_FILE]);
-	Assert::with($file, fn() => $file->extension = $ext);
+	Assert::with($file, function () use ($file, $type) {
+		$file->type = $type;
+		$file->extension = $type === null ? null : explode('/', $type)[1];
+	});
 	return $file->getSanitizedName();
 }
 
@@ -34,10 +37,20 @@ test('name', function () {
 
 
 test('name & extension', function () {
-	Assert::same('unknown.jpeg', getSanitizedName('', 'jpeg'));
-	Assert::same('unknown.jpeg', getSanitizedName('--', 'jpeg'));
-	Assert::same('foo.jpeg', getSanitizedName('foo', 'jpeg'));
-	Assert::same('foo.jpeg', getSanitizedName('foo.jpg', 'jpeg'));
-	Assert::same('foo.jpeg', getSanitizedName('foo.php', 'jpeg'));
-	Assert::same('image.jpeg', getSanitizedName('./.image.png', 'jpeg'));
+	Assert::same('unknown', getSanitizedName('', 'application/pdf'));
+	Assert::same('unknown', getSanitizedName('--', 'application/pdf'));
+	Assert::same('foo', getSanitizedName('foo', 'application/pdf'));
+	Assert::same('foo.jpg', getSanitizedName('foo.jpg', 'application/pdf'));
+	Assert::same('foo.php', getSanitizedName('foo.php', 'application/pdf'));
+	Assert::same('image.png', getSanitizedName('./.image.png', 'application/pdf'));
+});
+
+
+test('image name & extension', function () {
+	Assert::same('unknown.jpeg', getSanitizedName('', 'image/jpeg'));
+	Assert::same('unknown.jpeg', getSanitizedName('--', 'image/jpeg'));
+	Assert::same('foo.jpeg', getSanitizedName('foo', 'image/jpeg'));
+	Assert::same('foo.jpeg', getSanitizedName('foo.jpg', 'image/jpeg'));
+	Assert::same('foo.jpeg', getSanitizedName('foo.php', 'image/jpeg'));
+	Assert::same('image.jpeg', getSanitizedName('./.image.png', 'image/jpeg'));
 });