Opened 3 years ago
Last modified 2 years ago
#14148 new defect (bug)
wp_get_attachment_url() is not url encoding
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | Future Release |
| Component: | Security | Version: | 3.0 |
| Severity: | major | Keywords: | has-patch needs-testing |
| Cc: | otterish@… |
Description
A fairly fundamental flaw, the function wp_get_attachment_url() doesn't return a valid URL if the filename contains unescaped URL characters.
I'm not sure, but this might be a security issue, as the current version can generate URLs that don't match the filename, but instead passes query parameters back to the server.
The attached patch for Version 3.0 file fixes this in wp-includes/post.php
Attachments (2)
Change History (7)
Replying to nacin:
Can you post an example URL and what would get returned with and without the patch?
For a file named "X%X.txt"
Currently the URL returned is:
.../wp-content/uploads/2010/06/X%X.txt
This patch corrects it to return:
.../wp-content/uploads/2010/06/X%25X.txt
- Component changed from General to Security
- Milestone changed from Awaiting Review to 3.1
Compact patch based on danorton's but adding corrections for thumbnails and intermediate sizes. Tidy up comments a bit too.
- Cc otterish@… added
- Keywords has-patch needs-testing added; url query removed
Had to force image_downsize() to use encoded filenames when replacing which may break things. Any other ideas?
Can you post an example URL and what would get returned with and without the patch?