#16226 closed defect (bug) (duplicate)
Attachment URL filenames are not urlencoded
| Reported by: |
|
Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | Upload | Version: | 3.1 |
| Severity: | normal | Keywords: | has-patch dev-feedback |
| Cc: | jonathan.addleman@… |
Description
In looking at #16191, I discovered a related bug.
Upload a file called a%22b.jpg. The file will be stored on the filesystem as a%22b.jpg, but the resulting attachment URL will be http://example.com/wp-content/uploads/2011/01/a%22b.jpg, which will point to a file named a"b.jpg.
Attachments (3)
Change History (16)
comment:1
SergeyBiryukov
— 2 years ago
comment:2
solarissmoke
— 2 years ago
- Keywords has-patch added; needs-patch removed
% should be added to the list of special characters. Browsers will treat it (and what follows) as a urlencoded entity, which means you will never be able to access the saved file.
comment:3
follow-up:
↓ 4
dd32
— 2 years ago
shouldn't % be encoded to %25 instead? ie. the filename should be urlencoded.
comment:4
in reply to:
↑ 3
solarissmoke
— 2 years ago
Replying to dd32:
shouldn't % be encoded to %25 instead? ie. the filename should be urlencoded.
The difficulty is urlencoding only the filename portion... we can't urlencode the whole url. And we can't do the encoding in sanitize_file_name() because that is used in other non-URL contexts. Is there some other place where it can be done?
comment:5
dd32
— 2 years ago
See the attached patch, it's a rough patch, but seems to work in the few test cases i've got here. I've not tested it against international characters, nor have i tested it against "store uploads in year/month folders" being disabled (which will probably break this patch)
comment:6
phogberg
— 2 years ago
Similar to this:
Upload a file called a+b.jpg. The file will be stored on the filesystem as a+b.jpg, but the resulting attachment URL will be "http://example.com/wp-content/uploads/2011/04/a+b.jpg", which will point to a file named "a b.jpg" wich does not exist.
The plus sign translates to a space in an urlencoded string. 16226.2.diff will probably solve this as well, but not patch 16226.diff.
comment:7
simonwheatley
— 2 years ago
- Keywords dev-feedback added
- Version changed from 3.1 to 3.2
It seems to me that the simplest thing to do for these edge cases (albeit that I've just had a real user complaining about a file with a "+" in the filename not uploading) is to strip "+" and "%" in the sanitise_file_name function. I'm attaching a patch which does just this.
comment:8
simonwheatley
— 2 years ago
Note that this simplistic approach would also work for #16191. :)
comment:9
dd32
— 2 years ago
- Version changed from 3.2 to 3.1
The Version field is used to track the first version in which a issue is identified in, You can assume that any version between Version and Milestone will be affected by the ticket, so no need to update it to the current branch.
comment:10
kawauso
— 19 months ago
Related: #16330
comment:11
jaddle
— 17 months ago
- Cc jonathan.addleman@… added
comment:12
krembo99
— 11 months ago
- Resolution set to duplicate
- Status changed from new to closed
comment:13
SergeyBiryukov
— 11 months ago
- Milestone Future Release deleted
Possibly related: #15955