Theme files cannot be edited when theme's directory has certain characters in it

[trasnam]

Theme files cannot be edited when the theme name contains brackets in the directory name. (For example themename[modification] .)

After the upgrade to 2.0.4, I noticed I can no longer edit any theme files. I get the error, "Sorry, that file cannot be edited." when I hit "Update File" on the theme-editor.php page for any arbitrary file. This also occurs in 2.1 Alpha 2, but does not occur in 2.0.3. Therefore, I believe it is a regression.

After doing some debugging, I noticed that the value for the file I am editing is not the same in both $files and $allowed_files in admin-functions.php (only upon form submission, however). The value in $files has the brackets stripped out, whereas the value in $allowed_files doesn't have the brackets stripped out.

As a result of this, the function validate_file returns a 3, which in turn makes the function validate_file_to_edit return the "Sorry, that file cannot be edited." message.

I haven't yet figured out what causes the brackets to get stripped out, and as such I have renamed the theme directory as a temporary workaround.

I have no problem renaming the directory as a permanent fix, but I think the code should at least check for the brackets and tell the user to give the directory another name. If not, it should handle the bracket just like any other text character without stripping it out.

See this thread for more information:

​http://wordpress.org/support/topic/35201

[trasnam]

As a note, I found out where the problem lies.

Some code in wp-includes/pluggable-functions.php is the culprit.

Starting on line 264 of the file, this code is what trips up the problem I'm having:

$location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%]|i', '', $location);

$strip = array('%0d', '%0a');
$location = str_replace($strip, '', $location);

If the code from 2.0.3 is substituted, the code works as expected. Basically, replace those three lines of code with this one:

$location = str_replace( array("\n", "\r"), '', $location);

However, I think the code added to 2.0.4 was put there for a reason, so I doubt just putting back in the 2.0.3 code is a desired remedy.

[trasnam]

As another update, this issue not only affects brackets. It also affects characters like parenthesis, spaces, and braces, for instance. This can easily be seen by looking at the preg_replace line.

I'm not sure how modifying that line would affect things with the IIS issue it is meant to solve though, since I'm not at all familiar with it.

Perhaps someone more familiar with this part of the code can provide some insight.

Since this affects more directory names than just ones with brackets in them, I am moving up the priority of this ticket to High.

(Also, it's not really important, but in my original post, I meant $file (not $files) as the variable I was talking about.)

[Nazgul]

Added a few extra characters to the regex and made a patch for this.

I left out spaces as mentioned by the ticket reporter, because I think spaces shouldn't be allowed in path and file names on the web.

[masquerade]

Spaces and other characters are perfectly legal in filenames both on and off the web. I don't see why we should leave them out.

[ryan]

Nominating for 2.0.5. Keep in mind that this preg_replace is meant to prevent CRLF injection and other baddies, so we need to make sure we don't compromise security. Hmm, perhaps we should switch to POST.

[ryan]

(In [4268]) Do only the minimum sanitization on the URL redirect. fixes #2994

[ryan]

(In [4269]) Do only the minimum sanitization on the URL redirect. fixes #2994

[ryan]

Instead of modifying wp_redirect(), let's go the more conservative route for 2.0.5 and modify theme-editor.php. I changed it to strip CRLF and nulls pass everything else through. Any other badness should be caught with the allowed_files check. We can reconsider what to do with wp_redirect() in 2.1.

[(none)]

Milestone 2.0.5 deleted

[leonessa]

Please, please help! I am VERY new to Word Press or php. I keep getting the "THAT FILE CAN NOT BE EDITED" every time I try to access the theme editor. I am trying to build this site for a non-profit that NEED to have this going as soon as possible, we're trying to pay off a building and are under pressure to make this happen. PLEASE help! I read some help files, and this seems to be a common problem, but I can not for the life of me understand what to do about fixing it. PLEASE HELP!

[nacin]

In [20314]:

urldecode() the incoming $file in the theme editor. see [20313] when the encode was added. see #2994 for the original bug report. see #20103.