From ea542ae405b98b0f806e7a44a15a1c49778de46d Mon Sep 17 00:00:00 2001
From: Prasad <prasad@vtiger.com>
Date: Wed, 20 Feb 2019 15:26:22 +0530
Subject: [PATCH] Enhanced santization of file upload

---
 modules/Settings/Vtiger/actions/CompanyDetailsSave.php |  5 +++--
 modules/Vtiger/helpers/Util.php                        | 10 ++++++++--
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/modules/Settings/Vtiger/actions/CompanyDetailsSave.php b/modules/Settings/Vtiger/actions/CompanyDetailsSave.php
index daedf32a7..44590496d 100644
--- a/modules/Settings/Vtiger/actions/CompanyDetailsSave.php
+++ b/modules/Settings/Vtiger/actions/CompanyDetailsSave.php
@@ -32,6 +32,7 @@ class Settings_Vtiger_CompanyDetailsSave_Action extends Settings_Vtiger_Basic_Ac
 		$status = false;
 		if ($request->get('organizationname')) {
 			$saveLogo = $status = true;
+			$logoName = false;
 			if(!empty($_FILES['logo']['name'])) {
 				$logoDetails = $_FILES['logo'];
 				$fileType = explode('/', $logoDetails['type']);
@@ -64,8 +65,8 @@ class Settings_Vtiger_CompanyDetailsSave_Action extends Settings_Vtiger_Basic_Ac
 			foreach ($fields as $fieldName => $fieldType) {
 				$fieldValue = $request->get($fieldName);
 				if ($fieldName === 'logoname') {
-					if (!empty($logoDetails['name'])) {
-						$fieldValue = decode_html(ltrim(basename(" " . $logoDetails['name'])));
+					if (!empty($logoDetails['name']) && $logoName) {
+						$fieldValue = decode_html(ltrim(basename(" " . $logoName)));
 					} else {
 						$fieldValue = decode_html($moduleModel->get($fieldName));
 					}
diff --git a/modules/Vtiger/helpers/Util.php b/modules/Vtiger/helpers/Util.php
index 3ea6edf4f..1bb5ade98 100644
--- a/modules/Vtiger/helpers/Util.php
+++ b/modules/Vtiger/helpers/Util.php
@@ -383,8 +383,11 @@ class Vtiger_Util_Helper {
 	 * @param <Array> $badFileExtensions
 	 * @return <String> sanitized file name
 	 */
-	public static function sanitizeUploadFileName($fileName, $badFileExtensions) {
-		$fileName = preg_replace('/\s+/', '_', $fileName);//replace space with _ in filename
+	public static function sanitizeUploadFileName($fileName, $badFileExtensions = false) {
+		if (!$badFileExtensions) {
+			$badFileExtensions = vglobal('upload_badext');
+		}
+		$fileName = preg_replace('/[\s#%&]+/', '_', $fileName);//replace space,#,%,& with _ in filename
 		$fileName = rtrim($fileName, '\\/<>?*:"<>|');
 
 		$fileNameParts = explode('.', $fileName);
@@ -403,6 +406,9 @@ class Vtiger_Util_Helper {
 		if ($badExtensionFound) {
 			$newFileName .= ".txt";
 		}
+
+		$newFileName = ltrim(basename(' '.$newFileName));//allowed filename like UTF-8 characters
+		
 		return $newFileName;
 	}
 
-- 
GitLab