^ is an escape char in the windows OS

[hakre]

It should be removed from filenames then, otherwise the sanitize_file_name function could be easily tricked on windows servers.

Related: #9416, [11178]

[miqrogroove]

What is the precedent? Windows always allows karats in filenames doesn't it?

[hakre]

^{is an escape char in the windows OS. so it has a special meaning. those are to be removed from filenames as per definition of function sanitize_file_name():}

 * Removes special characters that are illegal in filenames on certain
 * operating systems and special characters requiring special escaping
 * to manipulate at the command line. [...]

See section "Escape Character" in ​http://ss64.com/nt/syntax-esc.html

[miqrogroove]

-1 invalid. Filename escaping is the responsibility of the API, which is PHP in this case. Tested and confirmed:

copy('index.php', 'inde^^x.php');

PHP creates a file named inde^^x.php, as expected. If there were a legitimate problem here, it would have created a file named inde^x.php.

[hakre]

that argumentation would make -1 for those (which are in right now) as well:

"?", "[", "]", "/", "\\", "=", "<", ">", ":", ";", ",", "'", "\"", "&", "$", "#", "*", "(", ")", "|", "~", "`", "!", "{", "}"

because the API, which is PHP in this case, would be responsible for filename escaping.

So where does that lead to?

[miqrogroove]

You are welcome to test all of those characters. Half of them are valid in Windows and will cause no problem. The other half are invalid and will throw a PHP Warning, which is not desirable. All other characters are valid and should not need escaping above the PHP layer.

[hakre]

I'm not in here to remove any of those. I created that ticket to add another special char that might be wise to replace for shell usage on the WINNT platform. Just as a precaution while I was stumbling over that line of code.

Infact, I do not care much about the windows platform and WP. So from that point of view, not worth the discussion for me now. Commit it or close it I won't care any longer. Enough typed here.