$php_string = '<?php print "Drupal"; ?>';
// Test using a masked exploit file.
$response =
$this->
fileRequest($uri,
$php_string,
['Content-Disposition' => 'filename="example.php"'
]);
// The filename is not munged because .txt is added and it is a known
// extension to apache.
$expected =
$this->
getExpectedNormalizedEntity(1, 'example.php_.txt', TRUE
);
// Override the expected filesize.
$expected['filesize'
][0
]['value'
] =
strlen($php_string);
$this->
assertResponseData($expected,
$response);
$this->
assertFileExists('public://foobar/example.php_.txt'
);
// Add .php and .txt as allowed extensions. Since 'allow_insecure_uploads'
// is FALSE, .php files should be renamed to have a .txt extension.
$this->field->
setSetting('file_extensions', 'php txt'
)->
save();
$this->
refreshTestStateAfterRestConfigChange();
$response =
$this->
fileRequest($uri,
$php_string,
['Content-Disposition' => 'filename="example_2.php"'
]);
$expected =
$this->
getExpectedNormalizedEntity(2, 'example_2.php_.txt', TRUE
);
// Override the expected filesize.
$expected['filesize'
][0
]['value'
] =
strlen($php_string);
$this->
assertResponseData($expected,
$response);