Ticket #22363: 22363.diff

src/wp-includes/default-filters.php

@@ -197 +197 @@
 add_filter( 'teeny_mce_before_init',    '_mce_set_direction'                  );
 add_filter( 'pre_kses',                 'wp_pre_kses_less_than'               );
 add_filter( 'sanitize_title',           'sanitize_title_with_dashes',   10, 3 );
+add_filter( 'sanitize_file_name',       'remove_accents'                      );
 add_action( 'check_comment_flood',      'check_comment_flood_db',       10, 3 );
 add_filter( 'comment_flood_filter',     'wp_throttle_comment_flood',    10, 3 );
 add_filter( 'pre_comment_content',      'wp_rel_nofollow',              15    );

src/wp-includes/formatting.php

@@ -1727 +1727 @@
 }
 
 /**
- * Sanitizes a filename, replacing whitespace with dashes.
+ * Sanitizes a file name, replacing whitespace and illegal characters with dashes.
  *
- * Removes special characters that are illegal in filenames on certain
- * operating systems and special characters requiring special escaping
- * to manipulate at the command line. Replaces spaces and consecutive
- * dashes with a single dash. Trims period, dash and underscore from beginning
- * and end of filename. It is not guaranteed that this function will return a
- * filename that is allowed to be uploaded.
+ * Replaces all non-alphabetical, non-decimal characters (including spaces) with dashes.
+ * Strips HTML tags and sanitizes HTML entities.  Munges extraneous file extensions with underscores.
+ * Converts the file names to lowercase when possible.
+ *
+ * If the PCRE UTF-8 extension is available, this function converts all characters
+ * that don't have the Unicode property "Letter" or "Decimal number" to dashes.
  *
  * @since 2.1.0
+ * @since 4.7.0 The function now also replaces illegal characters with dashes.
  *
  * @param string $filename The filename to be sanitized
  * @return string The sanitized filename
  */
 function sanitize_file_name( $filename ) {
         $filename_raw = $filename;
+        $encoding = seems_utf8( $filename ) ? 'UTF-8' : get_bloginfo( 'charset' );
+        $utf8_modifier = ( _wp_can_use_pcre_u() && 'UTF-8' == $encoding ) ? 'u' : '';
+
+        $filename = wp_strip_all_tags( $filename );
+
+        // Decode all HTML entities available in current encoding and strip the rest
+        $filename = html_entity_decode( $filename, ENT_QUOTES, $encoding );
+        $filename = preg_replace( "`&[a-zA-Z]{2,8};`$utf8_modifier", '', $filename );
+
+        // Convert illegal characters to dashes
         $special_chars = array("?", "[", "]", "/", "\\", "=", "<", ">", ":", ";", ",", "'", "\"", "&", "$", "#", "*", "(", ")", "|", "~", "`", "!", "{", "}", "%", "+", chr(0));
         /**
          * Filters the list of characters to remove from a filename.
@@ -1752 +1763 @@
          * @param array  $special_chars Characters to remove.
          * @param string $filename_raw  Filename as it was passed into sanitize_file_name().
          */
-        $special_chars = apply_filters( 'sanitize_file_name_chars', $special_chars, $filename_raw );
-        $filename = preg_replace( "#\x{00a0}#siu", ' ', $filename );
-        $filename = str_replace( $special_chars, '', $filename );
-        $filename = str_replace( array( '%20', '+' ), '-', $filename );
-        $filename = preg_replace( '/[\r\n\t -]+/', '-', $filename );
+        $special_chars    = apply_filters( 'sanitize_file_name_chars', $special_chars, $filename_raw );
+        $strip_characters = preg_quote( implode( '', $special_chars ), '`' );
+        $filename         = preg_replace( "`[$strip_characters]`$utf8_modifier", '-', $filename );
+
+        if ( _wp_can_use_pcre_u() ) {
+                // Convert everything except letters, decimal numbers, and "." (dot) to dashes if the PCRE UTF-8 extension is available
+                $filename = preg_replace( "`(?!\.)[^\p{L}\p{Nd}]+`$utf8_modifier", '-', $filename );
+                if ( ! $filename ) { // Invalid UTF-8 string or empty
+                        return '';
+                }
+        }
+
+        $filename = preg_replace( "`[\s-]+`$utf8_modifier", '-', $filename ); // Check whitespace and multiple dashes
+        $filename = preg_replace( "`-\.`$utf8_modifier", '.', $filename );  // Trim dashes before a dot
         $filename = trim( $filename, '.-_' );
 
+        if ( function_exists( 'mb_strtolower' ) ) {
+                $filename = mb_strtolower( $filename, mb_detect_encoding( $filename ) );
+        } else {
+                $filename = strtolower( $filename );
+        }
+
         if ( false === strpos( $filename, '.' ) ) {
                 $mime_types = wp_get_mime_types();
                 $filetype = wp_check_filetype( 'test.' . $filename, $mime_types );
@@ -1795 +1821 @@
         foreach ( (array) $parts as $part) {
                 $filename .= '.' . $part;
 
-                if ( preg_match("/^[a-zA-Z]{2,5}\d?$/", $part) ) {
+                if ( preg_match("`^[a-zA-Z]{2,5}\d?$`$utf8_modifier", $part) ) {
                         $allowed = false;
                         foreach ( $mimes as $ext_preg => $mime_match ) {
-                                $ext_preg = '!^(' . $ext_preg . ')$!i';
+                                $ext_preg = "`^($ext_preg)$`i$utf8_modifier";
                                 if ( preg_match( $ext_preg, $part ) ) {
                                         $allowed = true;
                                         break;

tests/phpunit/tests/formatting/SanitizeFileName.php

@@ -16 +16 @@
                 foreach ( $special_chars as $char )
                         $string .= $char;
                 $string .= 'test';
-                $this->assertEquals( 'testtest', sanitize_file_name( $string ) );
+                $this->assertEquals( 'test-test', sanitize_file_name( $string ) );
         }
 
         /**
@@ -28 +28 @@
                 $urls = array(
                         'unencoded space.png' => 'unencoded-space.png',
                         'encoded-space.jpg' => 'encoded-space.jpg',
-                        'plus+space.jpg' => 'plusspace.jpg',
+                        'plus+space.jpg' => 'plus-space.jpg',
                         'multi %20 +space.png' => 'multi-20-space.png',
                 );
 
@@ -47 +47 @@
 
         function test_replaces_any_amount_of_whitespace_with_one_hyphen() {
                 $this->assertEquals("a-t", sanitize_file_name("a          t"));
-                $this->assertEquals("a-t", sanitize_file_name("a    \n\n\nt"));
+                $this->assertEquals("a-t", sanitize_file_name("a    \t\r\n\n\nt"));
         }
 
         /**
          * @ticket 16226
          */
         function test_replaces_percent_sign() {
-                $this->assertEquals( 'a22b.jpg', sanitize_file_name( 'a%22b.jpg' ) );
+                $this->assertEquals( 'a-22b.jpg', sanitize_file_name( 'a%22b.jpg' ) );
         }
 
         function test_replaces_unnammed_file_extensions() {
@@ -67 +67 @@
                 // Test a filenames that becomes extensionless.
                 $this->assertEquals( 'no-extension', sanitize_file_name( '_.no-extension' ) );
         }
+
+        function test_replaces_utf8_whitespace() {
+                if ( ! _wp_can_use_pcre_u() ) {
+                        $this->markTestSkipped();
+                }
+
+                $this->assertEquals("non-breaking", sanitize_file_name("non\xc2\xa0breaking"));
+        }
+
+        function test_returns_lowercase() {
+                if ( ! function_exists( 'mb_strtolower' ) ) {
+                        $this->markTestSkipped();
+                }
+
+                $this->assertEquals( 'abcd', sanitize_file_name('ABCD') );
+        }
+
+        function test_replaces_accents() {
+                $in  = 'àáâãäåæçèéêëìíîïñòóôõöøùúûüýÿ';
+                $out = 'aaaaaaaeceeeeiiiinoooooouuuuyy';
+                $this->assertEquals( $out, sanitize_file_name( $in ) );
+        }
+
+        function test_strips_non_alpha_html_entities() {
+                if ( ! _wp_can_use_pcre_u() ) {
+                        $this->markTestSkipped();
+                }
+
+                $this->assertEquals("start-end", sanitize_file_name( "start © & € –   end" ) );
+                $this->assertEquals("start-end", sanitize_file_name( "start &invalid; end" ) );
+        }
+
+        function test_converts_alpha_html_entities() {
+                if ( ! _wp_can_use_pcre_u() ) {
+                        $this->markTestSkipped();
+                }
+
+                $this->assertEquals("start-a-e-n-o-ae-end", sanitize_file_name("start à ê ñ ø æ end" ) );
+        }
+
+        function test_removes_non_alphanum_characters() {
+                if ( ! _wp_can_use_pcre_u() ) {
+                        $this->markTestSkipped();
+                }
+
+                $test_input = "start ¿”©“? «±€—°» middle “√¼ = ♫” & „☺ + ☻ = ♥‟ end";
+                $this->assertEquals("start-middle-end", sanitize_file_name( $test_input ) );
+        }
+
+        function test_returns_empty_on_invalid_utf8() {
+                if ( ! _wp_can_use_pcre_u() ) {
+                        $this->markTestSkipped();
+                }
+
+                $this->assertEquals( '', sanitize_file_name( "Invalid \xff utf8" ) );
+        }
+
+        function test_returns_lowercase_utf8() {
+                if ( ! _wp_can_use_pcre_u() || ! function_exists( 'mb_strtolower' ) ) {
+                        $this->markTestSkipped();
+                }
+
+                $this->assertEquals( 'βασιλ-правах', sanitize_file_name( 'ΒΑΣΙΛ ПРАВАХ' ) );
+        }
 }