Ticket #22363: 22363.6.patch

src/wp-includes/default-filters.php

@@ -177 +177 @@
 add_filter( 'tiny_mce_before_init',     '_mce_set_direction'                  );
 add_filter( 'pre_kses',                 'wp_pre_kses_less_than'               );
 add_filter( 'sanitize_title',           'sanitize_title_with_dashes',   10, 3 );
+add_filter( 'sanitize_file_name',               'remove_accents'                                          );
 add_action( 'check_comment_flood',      'check_comment_flood_db',       10, 3 );
 add_filter( 'comment_flood_filter',     'wp_throttle_comment_flood',    10, 3 );
 add_filter( 'pre_comment_content',      'wp_rel_nofollow',              15    );

src/wp-includes/formatting.php

@@ -826 +826 @@
 }
 
 /**
- * Sanitizes a filename, replacing whitespace with dashes.
+ * Sanitizes a filename, replacing whitespace and extra characters with dashes.
  *
- * Removes special characters that are illegal in filenames on certain
- * operating systems and special characters requiring special escaping
- * to manipulate at the command line. Replaces spaces and consecutive
- * dashes with a single dash. Trims period, dash and underscore from beginning
- * and end of filename.
+ * Replaces all non-alphabetical, non-decimal characters (including
+ * spaces) with dashes. Strips HTML tags. Munges extraneous file extensions 
+ * with underscores.
+ * If the PCRE UTF-8 extension is availabe:
+ *  - Accepts and returns UTF-8 filenames
+ *  - Converts HTML entities and strips them if they are not alphanumerical
+ * Converts the filenames to lowercase when possible.
  *
  * @since 2.1.0
  *
@@ -841 +843 @@
  */
 function sanitize_file_name( $filename ) {
         $filename_raw = $filename;
+        
+        $filename = wp_strip_all_tags( $filename );
+        
+        // Check if PCRE UTF-8 extension is compiled and working.
+        static $pcre_utf8 = null;
+        if ( is_null( $pcre_utf8 ) )
+                $pcre_utf8 = ( 1 === @preg_match( '`[\p{L}]`u', "\xc3\xa0" ) ); // Try to match "latin small letter a with grave". Returns (int) 1 or (boolean) false.
+        $utf8_modifier = $pcre_utf8 ? 'u' : '';
+        
+        if ( $pcre_utf8 ) {
+                $filename = html_entity_decode( $filename, ENT_NOQUOTES, 'UTF-8' );
+                $filename = preg_replace( '`(?!\.)[^\p{L}\p{Nd}]+`u', '-', $filename ); // Convert everything except letters, decimal numbers, and "." (dot) to dashes
+                if ( ! $filename ) // Invalid UTF-8 string
+                        return '';
+        }
+
+        // With PCRE UTF-8, these characters will have been stripped already, but there might be some added by a filter
         $special_chars = array("?", "[", "]", "/", "\\", "=", "<", ">", ":", ";", ",", "'", "\"", "&", "$", "#", "*", "(", ")", "|", "~", "`", "!", "{", "}", chr(0));
         $special_chars = apply_filters('sanitize_file_name_chars', $special_chars, $filename_raw);
-        $filename = str_replace($special_chars, '', $filename);
-        $filename = preg_replace('/[\s-]+/', '-', $filename);
-        $filename = trim($filename, '.-_');
+        
+        $strip_characters = preg_quote( implode( '', $special_chars ), '`' ); // Quote the special characters
+        $filename = preg_replace( "`[$strip_characters]`$utf8_modifier", '-', $filename );  // Convert them to dashes
+        $filename = preg_replace( "`[\s-]+`$utf8_modifier", '-', $filename ); // Check whitespace and multiple dashes
+        $filename = preg_replace( "`-\.`$utf8_modifier", '.', $filename );  // Trim dashes before a dot
+        $filename = trim( $filename, '.-_' );
+        
+        if ( function_exists( 'mb_strtolower' ) ) 
+                $filename = mb_strtolower( $filename, mb_detect_encoding( $filename ) );
+        else if ( ! seems_utf8( $filename ) )
+                $filename = strtolower( $filename );
 
+        // Apply filters before the allowed extensions check, since they might modify the filename
+        $filename = apply_filters('sanitize_file_name', $filename, $filename_raw);
+        
         // Split the filename into a base and extension[s]
         $parts = explode('.', $filename);
-
+        
         // Return if only one extension
         if ( count($parts) <= 2 )
-                return apply_filters('sanitize_file_name', $filename, $filename_raw);
+                return $filename;
 
         // Process multiple extensions
         $filename = array_shift($parts);
@@ -864 +894 @@
         foreach ( (array) $parts as $part) {
                 $filename .= '.' . $part;
 
-                if ( preg_match("/^[a-zA-Z]{2,5}\d?$/", $part) ) {
+                if ( preg_match("`^[a-zA-Z]{2,5}\d?$`$utf8_modifier", $part) ) {
                         $allowed = false;
                         foreach ( $mimes as $ext_preg => $mime_match ) {
-                                $ext_preg = '!^(' . $ext_preg . ')$!i';
+                                $ext_preg = "`^($ext_preg)$`i$utf8_modifier";
                                 if ( preg_match( $ext_preg, $part ) ) {
                                         $allowed = true;
                                         break;
@@ -879 +909 @@
         }
         $filename .= '.' . $extension;
 
-        return apply_filters('sanitize_file_name', $filename, $filename_raw);
+        return $filename;
 }
 
 /**