id summary reporter owner description type status priority milestone component version severity resolution keywords cc focuses 15955 move_uploaded_file mangles non-ascii characters on Windows platforms t31os_ SergeyBiryukov "The `sanitize_file_name` function is not filtering alot of character entities like the degree symbol, this results in invalid media item paths, see the attached images. wp-includes/formatting - Line 677 {{{ $special_chars = array(""?"", ""["", ""]"", ""/"", ""\\"", ""="", ""<"", "">"", "":"", "";"", "","", ""'"", ""\"""", ""&"", ""$"", ""#"", ""*"", ""("", "")"", ""|"", ""~"", ""`"", ""!"", ""{"", ""}"", chr(0)); }}} This array is not dealing with invalid entities that could be used in a filename, and the regular expression further down is not catching these either. wp-includes/formatting - Line 700 {{{ if ( preg_match(""/^[a-zA-Z]{2,5}\d?$/"", $part) ) { }}} See attached images, i used 4 varying names with unusual entities in them(each a copy of a sample jpg image). Using a filter on the valid chars array results in the extension getting stripped off but the file still makes it through the upload routine however(which is worrying). I'm no file validation expert, so i'm not sure if this is a critical problem(marked as normal), i'll leave this for you chaps to decide. '''NOTE:''' Ignore my hostname in the screenies, it's a 3.0.3 installation, i'm just lazy with updating my virtual host settings. See screenshots for steps to reproduce(just create a file with some dodgy character entities and upload it basically)." defect (bug) accepted normal Awaiting Review Upload 2.0 major close