From c187595865d058f597405c59cb90804befa79e0e Mon Sep 17 00:00:00 2001 From: yamamoto Date: Thu, 22 Jan 2026 19:46:40 +0900 Subject: [PATCH 1/3] Fix transliteration handling for uploaded file basenames --- .../media/browser/mcpuk/connectors/Commands/FileUpload.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/manager/media/browser/mcpuk/connectors/Commands/FileUpload.php b/manager/media/browser/mcpuk/connectors/Commands/FileUpload.php index 5813633be..a2bc04d9b 100644 --- a/manager/media/browser/mcpuk/connectors/Commands/FileUpload.php +++ b/manager/media/browser/mcpuk/connectors/Commands/FileUpload.php @@ -74,7 +74,12 @@ function run() if ($modx->config['clean_uploaded_filename'] == 1 && isset($ext)) { $originalFilename = $filename; - $filename = $modx->stripAlias($filename, ['file_manager']); + $basename = substr($filename, 0, strrpos($filename, '.')); + $basename = $modx->stripAlias($basename, ['file_manager']); + if ($basename === '') { + $basename = date('Ymd') . '-' . substr(md5(uniqid(mt_rand(), true)), 0, 8); + } + $filename = "{$basename}.{$ext}"; if ($filename !== $originalFilename) { $disp = "201,'ファイル名に使えない文字が含まれているため変更しました。'"; } From 75866b6e3a98713fd50228eea43927652e5ea7af Mon Sep 17 00:00:00 2001 From: yamamoto Date: Thu, 22 Jan 2026 22:16:08 +0900 Subject: [PATCH 2/3] Fix upload filename sanitization via DocumentParser --- .../includes/document.parser.class.inc.php | 18 ++++++++++++----- .../mcpuk/connectors/Commands/FileUpload.php | 20 +++++++------------ 2 files changed, 20 insertions(+), 18 deletions(-) diff --git a/manager/includes/document.parser.class.inc.php b/manager/includes/document.parser.class.inc.php index 58fbed46c..e44d17363 100644 --- a/manager/includes/document.parser.class.inc.php +++ b/manager/includes/document.parser.class.inc.php @@ -5852,7 +5852,7 @@ public function move_uploaded_file($tmp_path, $target_path) * @param string $filepath フルパス * @return string サニタイズされたフルパス */ - private function sanitizeUploadedFilename($filepath) + public function sanitizeUploadedFilename($filepath) { $dir = dirname($filepath); $filename = basename($filepath); @@ -5867,10 +5867,12 @@ private function sanitizeUploadedFilename($filepath) $ext = ''; } - // ASCII文字以外を含む場合のみ処理 - if (preg_match('/[^\x20-\x7E]/', $name)) { - // タイムスタンプベースの安全なファイル名を生成 - $timestamp = date('Y-md'); + if ($this->config('clean_uploaded_filename') == 1) { + $name = $this->stripAlias($name, ['file_manager']); + } + + if ($name === '') { + $timestamp = date('Ymd'); $random = substr(md5(uniqid(mt_rand(), true)), 0, 8); $name = sprintf('%s-%s', $timestamp, $random); } @@ -5878,6 +5880,12 @@ private function sanitizeUploadedFilename($filepath) // 安全でない文字を除去 $name = preg_replace('/[^a-zA-Z0-9._-]/', '_', $name); + if ($name === '') { + $timestamp = date('Ymd'); + $random = substr(md5(uniqid(mt_rand(), true)), 0, 8); + $name = sprintf('%s-%s', $timestamp, $random); + } + return $dir . '/' . $name . $ext; } diff --git a/manager/media/browser/mcpuk/connectors/Commands/FileUpload.php b/manager/media/browser/mcpuk/connectors/Commands/FileUpload.php index a2bc04d9b..d12d69a7a 100644 --- a/manager/media/browser/mcpuk/connectors/Commands/FileUpload.php +++ b/manager/media/browser/mcpuk/connectors/Commands/FileUpload.php @@ -72,19 +72,6 @@ function run() } } - if ($modx->config['clean_uploaded_filename'] == 1 && isset($ext)) { - $originalFilename = $filename; - $basename = substr($filename, 0, strrpos($filename, '.')); - $basename = $modx->stripAlias($basename, ['file_manager']); - if ($basename === '') { - $basename = date('Ymd') . '-' . substr(md5(uniqid(mt_rand(), true)), 0, 8); - } - $filename = "{$basename}.{$ext}"; - if ($filename !== $originalFilename) { - $disp = "201,'ファイル名に使えない文字が含まれているため変更しました。'"; - } - } - if (!array_key_exists('NewFile', $_FILES)) $disp = "202,'Unable to find uploaded file.'"; //No file uploaded with field name NewFile elseif ($_FILES['NewFile']['error'] || ($typeconfig['MaxSize']) < $_FILES['NewFile']['size']) { $disp = "202,'ファイル容量オーバーです。'";//Too big @@ -135,6 +122,13 @@ function run() $tmp_name = $_FILES['NewFile']['tmp_name']; $filename = "{$basename}.{$ext}"; $target = "{$this->real_cwd}/{$filename}"; + $originalFilename = $filename; + $target = $modx->sanitizeUploadedFilename($target); + $filename = basename($target); + $basename = substr($filename, 0, strrpos($filename, '.')); + if ($filename !== $originalFilename) { + $disp = "201,'ファイル名に使えない文字が含まれているため変更しました。'"; + } if (!is_file($target)) { //Upload file $rs = $this->file_upload($tmp_name, $target); From ca5c3aab5dee0be4dcc3de812c77606f17f030b2 Mon Sep 17 00:00:00 2001 From: yamamoto Date: Thu, 22 Jan 2026 22:16:16 +0900 Subject: [PATCH 3/3] Fix duplicate fallback in upload filename sanitizing --- manager/includes/document.parser.class.inc.php | 6 ------ 1 file changed, 6 deletions(-) diff --git a/manager/includes/document.parser.class.inc.php b/manager/includes/document.parser.class.inc.php index e44d17363..45145a0e0 100644 --- a/manager/includes/document.parser.class.inc.php +++ b/manager/includes/document.parser.class.inc.php @@ -5871,12 +5871,6 @@ public function sanitizeUploadedFilename($filepath) $name = $this->stripAlias($name, ['file_manager']); } - if ($name === '') { - $timestamp = date('Ymd'); - $random = substr(md5(uniqid(mt_rand(), true)), 0, 8); - $name = sprintf('%s-%s', $timestamp, $random); - } - // 安全でない文字を除去 $name = preg_replace('/[^a-zA-Z0-9._-]/', '_', $name);