Ticket #22363: 22363.9.patch

src/wp-includes/default-filters.php

@@ -177 +177 @@
 add_filter( 'tiny_mce_before_init',     '_mce_set_direction'                  );
 add_filter( 'pre_kses',                 'wp_pre_kses_less_than'               );
 add_filter( 'sanitize_title',           'sanitize_title_with_dashes',   10, 3 );
+add_filter( 'sanitize_file_name',               'remove_accents'                                          );
 add_action( 'check_comment_flood',      'check_comment_flood_db',       10, 3 );
 add_filter( 'comment_flood_filter',     'wp_throttle_comment_flood',    10, 3 );
 add_filter( 'pre_comment_content',      'wp_rel_nofollow',              15    );

src/wp-includes/formatting.php

@@ -826 +826 @@
 }
 
 /**
- * Sanitizes a filename, replacing whitespace with dashes.
+ * Sanitizes a filename, replacing whitespace and illegal characters with dashes.
  *
- * Removes special characters that are illegal in filenames on certain
- * operating systems and special characters requiring special escaping
- * to manipulate at the command line. Replaces spaces and consecutive
- * dashes with a single dash. Trims period, dash and underscore from beginning
- * and end of filename.
+ * Replaces all non-alphabetical, non-decimal characters (including
+ * spaces) with dashes. Strips HTML tags and sanitizes HTML entities. Munges
+ * extraneous file extensions with underscores. Converts the filenames to lowercase
+ * when possible.
  *
+ * If the PCRE UTF-8 extension is available, this function converts all characters
+ * that don't have the Unicode property "Letter" or "Decimal number" to dashes.
+ *
  * @since 2.1.0
  *
  * @param string $filename The filename to be sanitized
@@ -841 +843 @@
  */
 function sanitize_file_name( $filename ) {
         $filename_raw = $filename;
+
+        // Check if PCRE UTF-8 extension is compiled and working.
+        static $pcre_utf8 = null;
+        if ( is_null( $pcre_utf8 ) )
+                $pcre_utf8 = ( 1 === @preg_match( '`[\p{L}]`u', "\xc3\xa0" ) ); // Try to match "latin small letter a with grave". Returns (int) 1 or (boolean) false.
+
+        $encoding = seems_utf8( $filename ) ? 'UTF-8' : get_bloginfo( 'charset' );
+        $utf8_modifier = ( $pcre_utf8 && 'UTF-8' == $encoding ) ? 'u' : '';
+
+        $filename = wp_strip_all_tags( $filename );
+
+        // Decode all HTML entities available in current encoding and strip the rest
+        $filename = html_entity_decode( $filename, ENT_QUOTES, $encoding );
+        $filename = preg_replace( "`&[a-zA-Z]{2,8};`$utf8_modifier", '', $filename );
+
+        // Apply filters before sanitizing to allow custom replacements
+        $filename = apply_filters('sanitize_file_name', $filename, $filename_raw);
+
+        // Convert illegal characters to dashes
         $special_chars = array("?", "[", "]", "/", "\\", "=", "<", ">", ":", ";", ",", "'", "\"", "&", "$", "#", "*", "(", ")", "|", "~", "`", "!", "{", "}", chr(0));
         $special_chars = apply_filters('sanitize_file_name_chars', $special_chars, $filename_raw);
-        $filename = str_replace($special_chars, '', $filename);
-        $filename = preg_replace('/[\s-]+/', '-', $filename);
-        $filename = trim($filename, '.-_');
+        $strip_characters = preg_quote( implode( '', $special_chars ), '`' );
+        $filename = preg_replace( "`[$strip_characters]`$utf8_modifier", '-', $filename );
 
+        if ( $pcre_utf8 ) {
+                // Convert everything except letters, decimal numbers, and "." (dot) to dashes if the PCRE UTF-8 extension is available
+                $filename = preg_replace( "`(?!\.)[^\p{L}\p{Nd}]+`$utf8_modifier", '-', $filename );
+                if ( ! $filename ) // Invalid UTF-8 string or empty
+                        return '';
+        }
+
+        $filename = preg_replace( "`[\s-]+`$utf8_modifier", '-', $filename ); // Check whitespace and multiple dashes
+        $filename = preg_replace( "`-\.`$utf8_modifier", '.', $filename );  // Trim dashes before a dot
+        $filename = trim( $filename, '.-_' );
+
+        if ( function_exists( 'mb_strtolower' ) )
+                $filename = mb_strtolower( $filename, mb_detect_encoding( $filename ) );
+        else if ( ! preg_match( '/[^\x20-\x7f]/', $string ) ) // Only ASCII characters present
+                $filename = strtolower( $filename );
+
         // Split the filename into a base and extension[s]
         $parts = explode('.', $filename);
 
         // Return if only one extension
         if ( count($parts) <= 2 )
-                return apply_filters('sanitize_file_name', $filename, $filename_raw);
+                return $filename;
 
         // Process multiple extensions
         $filename = array_shift($parts);
@@ -864 +900 @@
         foreach ( (array) $parts as $part) {
                 $filename .= '.' . $part;
 
-                if ( preg_match("/^[a-zA-Z]{2,5}\d?$/", $part) ) {
+                if ( preg_match("`^[a-zA-Z]{2,5}\d?$`$utf8_modifier", $part) ) {
                         $allowed = false;
                         foreach ( $mimes as $ext_preg => $mime_match ) {
-                                $ext_preg = '!^(' . $ext_preg . ')$!i';
+                                $ext_preg = "`^($ext_preg)$`i$utf8_modifier";
                                 if ( preg_match( $ext_preg, $part ) ) {
                                         $allowed = true;
                                         break;
@@ -879 +915 @@
         }
         $filename .= '.' . $extension;
 
-        return apply_filters('sanitize_file_name', $filename, $filename_raw);
+        return $filename;
 }
 
 /**