function file_munge_filename


Error message

User warning: The following module is missing from the file system: theme/theme. For information about how to fix this, see the documentation page. in _drupal_trigger_error_with_delayed_logging() (line 1156 of /var/www/html/elmsln_community/
cis7 file_munge_filename($filename, $extensions, $alerts = TRUE)
cle7 file_munge_filename($filename, $extensions, $alerts = TRUE)
elmsmedia7 file_munge_filename($filename, $extensions, $alerts = TRUE)
icor7 file_munge_filename($filename, $extensions, $alerts = TRUE)
meedjum_blog7 file_munge_filename($filename, $extensions, $alerts = TRUE)
mooc7 file_munge_filename($filename, $extensions, $alerts = TRUE)

Modifies a filename as needed for security purposes.

Munging a file name prevents unknown file extensions from masking exploit files. When web servers such as Apache decide how to process a URL request, they use the file extension. If the extension is not recognized, Apache skips that extension and uses the previous file extension. For example, if the file being requested is exploit.php.pps, and Apache does not recognize the '.pps' extension, it treats the file as PHP and executes it. To make this file name safe for Apache and prevent it from executing as PHP, the .php extension is "munged" into .php_, making the safe file name exploit.php_.pps.

Specifically, this function adds an underscore to all extensions that are between 2 and 5 characters in length, internal to the file name, and not included in $extensions.

Function behavior is also controlled by the Drupal variable 'allow_insecure_uploads'. If 'allow_insecure_uploads' evaluates to TRUE, no alterations will be made, if it evaluates to FALSE, the filename is 'munged'.


$filename: File name to modify.

$extensions: A space-separated list of extensions that should not be altered.

$alerts: If TRUE, drupal_set_message() will be called to display a message if the file name was changed.

Return value

The potentially modified $filename.

Related topics

3 calls to file_munge_filename()
file_save_upload in includes/
Saves a file upload to a new location.
MediaInternetFileHandler::preSave in sites/all/modules/ulmus/media/modules/media_internet/media_internet.module
Before the file has been saved, implementors may do additional operations.
mfw_file_save_upload in sites/all/modules/ulmus/multiupload_filefield_widget/multiupload_filefield_widget.module
Saves a file upload to a new location.


includes/, line 1143
API for handling file uploads and server file management.


function file_munge_filename($filename, $extensions, $alerts = TRUE) {
  $original = $filename;

  // Allow potentially insecure uploads for very savvy users and admin
  if (!variable_get('allow_insecure_uploads', 0)) {
    // Remove any null bytes. See
    $filename = str_replace(chr(0), '', $filename);

    $whitelist = array_unique(explode(' ', trim($extensions)));

    // Split the filename up by periods. The first part becomes the basename
    // the last part the final extension.
    $filename_parts = explode('.', $filename);
    $new_filename = array_shift($filename_parts); // Remove file basename.
    $final_extension = array_pop($filename_parts); // Remove final extension.

    // Loop through the middle parts of the name and add an underscore to the
    // end of each section that could be a file extension but isn't in the list
    // of allowed extensions.
    foreach ($filename_parts as $filename_part) {
      $new_filename .= '.' . $filename_part;
      if (!in_array($filename_part, $whitelist) && preg_match("/^[a-zA-Z]{2,5}\d?$/", $filename_part)) {
        $new_filename .= '_';
    $filename = $new_filename . '.' . $final_extension;

    if ($alerts && $original != $filename) {
      drupal_set_message(t('For security reasons, your upload has been renamed to %filename.', array('%filename' => $filename)));

  return $filename;



Error message

  • Warning: Cannot modify header information - headers already sent by (output started at /var/www/html/elmsln_community/ in drupal_send_headers() (line 1499 of /var/www/html/elmsln_community/
  • Error: Call to undefined function apc_delete() in DrupalAPCCache->clear() (line 289 of /var/www/html/elmsln_community/
The website encountered an unexpected error. Please try again later.