WordPress.org

Make WordPress Core

Ticket #9416: 9416.2.diff

File 9416.2.diff, 3.3 KB (added by sivel, 6 years ago)
  • wp-includes/functions.php

     
    20112011 * @return string New filename, if given wasn't unique. 
    20122012 */ 
    20132013function wp_unique_filename( $dir, $filename, $unique_filename_callback = null ) { 
    2014         $filename = strtolower( $filename ); 
     2014        // sanitize the file name before we begin processing 
     2015        $filename = sanitize_file_name($filename); 
     2016 
    20152017        // separate the filename into a name and extension 
    20162018        $info = pathinfo($filename); 
    20172019        $ext = !empty($info['extension']) ? $info['extension'] : ''; 
    20182020        $name = basename($filename, ".{$ext}"); 
    2019  
     2021         
    20202022        // edge case: if file is named '.ext', treat as an empty name 
    20212023        if( $name === ".$ext" ) 
    20222024                $name = ''; 
     
    20282030                $number = ''; 
    20292031 
    20302032                if ( !empty( $ext ) ) 
    2031                         $ext = strtolower( ".$ext" ); 
     2033                        $ext = ".$ext"; 
    20322034 
    2033                 $filename = str_replace( $ext, '', $filename ); 
    2034                 // Strip % so the server doesn't try to decode entities. 
    2035                 $filename = str_replace('%', '', sanitize_title_with_dashes( $filename ) ) . $ext; 
    2036  
    20372035                while ( file_exists( $dir . "/$filename" ) ) { 
    20382036                        if ( '' == "$number$ext" ) 
    20392037                                $filename = $filename . ++$number . $ext; 
  • wp-includes/formatting.php

     
    564564} 
    565565 
    566566/** 
    567  * Filters certain characters from the file name. 
     567 * Sanitizes a filename replacing whitespace with dashes 
    568568 * 
    569  * Turns all strings to lowercase removing most characters except alphanumeric 
    570  * with spaces, dashes and periods. All spaces and underscores are converted to 
    571  * dashes. Multiple dashes are converted to a single dash. Finally, if the file 
    572  * name ends with a dash, it is removed. 
     569 * Removes special characters that are illegal in filenames on certain  
     570 * operating systems and special characters requiring special escaping  
     571 * to manipulate at the command line. Replaces spaces and consecutive  
     572 * dashes with a single dash. Trim period, dash and underscore from beginning 
     573 * and end of filename. 
    573574 * 
    574575 * @since 2.1.0 
    575576 * 
    576  * @param string $name The file name 
    577  * @return string Sanitized file name 
     577 * @param string $filename The filename to be sanitized 
     578 * @return string The sanitized filename 
    578579 */ 
    579 function sanitize_file_name( $name ) { // Like sanitize_title, but with periods 
    580         $name = strtolower( $name ); 
    581         $name = preg_replace('/&.+?;/', '', $name); // kill entities 
    582         $name = str_replace( '_', '-', $name ); 
    583         $name = preg_replace('/[^a-z0-9\s-.]/', '', $name); 
    584         $name = preg_replace('/\s+/', '-', $name); 
    585         $name = preg_replace('|-+|', '-', $name); 
    586         $name = trim($name, '-'); 
    587         return $name; 
     580function sanitize_file_name( $filename ) { 
     581        $filename_raw = $filename; 
     582        $special_chars = array("?", "[", "]", "/", "\\", "=", "<", ">", ":", ";", ",", "'", "\"", "&", "$", "#", "*", "(", ")", "|", "~", "`", "!", "{", "}"); 
     583        $special_chars = apply_filters('sanitize_file_name_chars', $special_chars, $filename_raw); 
     584        $filename = str_replace($special_chars, '', $filename); 
     585        $filename = preg_replace('(\s+|-+)', '-', $filename); 
     586        $filename = trim($filename, '.-_'); 
     587        return apply_filters('sanitize_file_name', $filename, $filename_raw); 
    588588} 
    589589 
    590590/**