grav-plugin-form
grav-plugin-form copied to clipboard
getgrav
[FIX] Critical Bug - Form save: File with extension not allowed
Hi Today I've seen that the form has a big problem after to send a message I get this error
Form save: File with extension not allowed: contactform-06/01/2024 13:24:36.txt
why should the txt file be wrong? It worked fine before, I think it's due to the latest plugin updates, which added this error
How is it possible to fix it? all sites with grav have this problem. I use the latest versions
the email is sent correctly
I've seen that the problem is due from this condition inside Utils::checkFilename of Utils.php at line 989
|| strtr($filename, "\t\v\n\r\0\/", '_______') !== $filename
I think the problem is in the $filename variable because it is like so
contactform-06/01/2024 15:07:23.txt
but the real filename is so 2024 15:07:23.txt, because contactform-06 is a folder and 01 is another folder and the condition check the presence of slashes
it is not possible to use this line
$filename = $prefix . $this->udate($format, $raw_format) . $postfix . $ext;
with this condition
if (!Utils::checkFilename($filename)) { throw new RuntimeException(sprintf('Form save: File with extension not allowed: %s', $filename)); }
the filename includes folders with slashes in its name, so you should pass to that condition only the real filename or use a different condition
I suggest this solution
` $filename_array = $filename ? explode('/', $filename) : [];
// Handle bad filenames.
if (!Utils::checkFilename($filename_array[count($filename_array) -1])) {
throw new RuntimeException(sprintf('Form save: File with extension not allowed: %s', $filename));
}`
thanks
Is there anyone who handles this topic? This would solve a problem in sending emails, I think it's important
Sorry only me, and i've been sick.
It sounds like you are trying to have a custom path in the filename, and then you are trying to work-around the security checks that are there to prevent adding custom paths to filenames. The reason this is there now is due to a vulnerability that allowed arbitrary paths to be passed in via a user editable form.
So that said, it seems the error is correct, but the message is wrong, it's really the filename is not allowed, due to the path structure in it, not merely the extension.
In short the filename should not contain paths.
A better solution is to have a new path option that is added to the front of the filename, but is in some format that can be auto-generated, perhaps using PHP date tokens, So not completely arbitrary, something that can be validated.
In the meantime, i suggest just using the date in the filename rather than prefixing folders.
Hi I'm sorry, yes I also got sick 23 weeks ago, now there are a lot of people with the flu
I don't think I did any customization, just something in the theme files for the form graphics. the problem arose due to an update made in the "form" plugin, in fact I saw that this check was added
do a check and you will see that in form/form.php the variable $filename also contains the paths to the file
with the version v7.2.1 this condition is not present and all is ok
as mentioned, the condition gives an error because the variable also contains the paths to the filename I don't think I've made any changes to the file path, because I'm not interested in this type of change
thanks
So in this part:
dateformat: 'd/m/Y H:i:s'
change it to:
dateformat: 'd-m-Y_H:i:s'
or someting similar