Make WordPress Core

Opened 9 years ago

Last modified 3 months ago

#16191 reopened defect (bug)

Uploaded files with quote marks in the filename are undisplayable in MS

Reported by: simonwheatley Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: Upload Keywords: has-patch dev-feedback needs-testing good-first-bug
Focuses: Cc:
PR Number:


If you upload a file with quote marks in the filename, e.g. "Test".jpg, WordPress records the filename as %22test%22.jpg but the file is called "Test".jpg (on 'nix-like systems anyway) so is undisplayable.

I'm unsure about the implications (security and otherwise) of my suggested patch (attached), so please give feedback. (I guess the other approach would be to retain the url-encoded characters and ensure that the file is named with the URL encoded version of the filename.)

Attachments (3)

handle urlencoded characters.diff (960 bytes) - added by simonwheatley 9 years ago.
URLDecode characters before saving to WP meta data
16191.diff (2.1 KB) - added by mdawaffe 9 years ago.
16191.2.diff (2.9 KB) - added by mdawaffe 9 years ago.
Cleanup, Docs

Download all attachments as: .zip

Change History (11)

9 years ago

URLDecode characters before saving to WP meta data

#1 @mdawaffe
9 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to worksforme
  • Status changed from new to closed

sanitize_file_name() should be stripping quote marks, and works for me.

Please reopen with more details. What browser, what OS, what server OS, PHP version, etc.?

#2 @mdawaffe
9 years ago

  • Milestone set to Future Release
  • Resolution worksforme deleted
  • Status changed from closed to reopened

markjaquith just repro'd. Flash uploader works fine, the browser uploader does not.

#3 @mdawaffe
9 years ago

This looks like a WebKit bug that we can't work around.

I have a file named z"d%22e.jpg.

Uploading from FF:

Content-Disposition: form-data; name="async-upload"; filename="z"d%22e.jpg"
Content-Type: image/jpeg

Uploading from Chrome:

Content-Disposition: form-data; name="async-upload"; filename="z%22d%22e.jpg"
Content-Type: image/jpeg

Chrome is clearly doing things wrong. FF works, but I would have thought the double quote should have been slashed.

9 years ago


#4 @mdawaffe
9 years ago

16191.diff is a Proof of Concept workaround for filenames with double quotes in them.

  1. Populate POST variable via JS with file's real name.
  2. Use wp_handle_upload_prefilter to fix the $_FILES item.

9 years ago

Cleanup, Docs

#5 @iseulde
6 years ago

  • Keywords changed from has-patch, dev-feedback to has-patch dev-feedback

This is still an issue after 3.5, image is now saved as %22Test%22.jpg, but is not found when trying to access is. Maybe remove the double quotes just like single quotes are removed (Test.jpg)?
See #22694.

#6 @mordauk
5 years ago

16226.patch on 16226 may resolve this.

#7 @desrosj
5 months ago

  • Keywords needs-testing good-first-bug added

#16226 was fixed in 4.4. Can someone test this to see if the behavior still persists?

#8 @donmhico
3 months ago

This is my first time to be involved so please be patient and guide me through. @desrosj

I wasn't able to replicate the problem but I noticed something when testing on different browsers.

I'm on macOS Mojave (10.14.5)

What I did: Uploaded an image with the name "512x512_RED."png via the Media Uploader and inside Gutenberg editor.

Browser: Google Chrome
File was uploaded with filename - 22512x512_RED.22png.png
Post title - 512x512_RED.png
post_meta_key (_wp_attached_file) - 22512x512_RED.22png.png
Renders properly inside a post.

Browser: Firefox
File was uploaded with filename - 512x512_RED.png.png
Post title - "512x512_RED."png
post_meta_key (_wp_attached_file) - 512x512_RED.png.png
Renders properly inside a post.

Browser: Microsoft Edge (Dev build for Mac)
File was uploaded with filename - 22512x512_RED.22png-2.png
Post title - 512x512_RED.png
post_meta_key (_wp_attached_file) - 22512x512_RED.22png-2.png
Renders properly inside a post.

Browser: Safari
File was uploaded with filename - 22512x512_RED.22png-4.png
Post title - 512x512_RED.png
post_meta_key (_wp_attached_file) - 22512x512_RED.22png-4.png
Renders properly inside a post.

How it saves in Firefox is different than the rest of the browsers. I'm not sure if it's something critical. But nonetheless, the image with double quotes in filename displays properly.

Note: See TracTickets for help on using tickets.