Make WordPress Core

Opened 13 years ago

Last modified 4 years ago

#16191 reopened defect (bug)

Uploaded files with quote marks in the filename are undisplayable in MS

Reported by: simonwheatley's profile simonwheatley Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: Upload Keywords: has-patch dev-feedback needs-testing good-first-bug
Focuses: Cc:

Description

If you upload a file with quote marks in the filename, e.g. "Test".jpg, WordPress records the filename as %22test%22.jpg but the file is called "Test".jpg (on 'nix-like systems anyway) so is undisplayable.

I'm unsure about the implications (security and otherwise) of my suggested patch (attached), so please give feedback. (I guess the other approach would be to retain the url-encoded characters and ensure that the file is named with the URL encoded version of the filename.)

Attachments (3)

handle urlencoded characters.diff (960 bytes) - added by simonwheatley 13 years ago.
URLDecode characters before saving to WP meta data
16191.diff (2.1 KB) - added by mdawaffe 13 years ago.
PoC
16191.2.diff (2.9 KB) - added by mdawaffe 13 years ago.
Cleanup, Docs

Download all attachments as: .zip

Change History (12)

@simonwheatley
13 years ago

URLDecode characters before saving to WP meta data

#1 @mdawaffe
13 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to worksforme
  • Status changed from new to closed

sanitize_file_name() should be stripping quote marks, and works for me.

Please reopen with more details. What browser, what OS, what server OS, PHP version, etc.?

#2 @mdawaffe
13 years ago

  • Milestone set to Future Release
  • Resolution worksforme deleted
  • Status changed from closed to reopened

markjaquith just repro'd. Flash uploader works fine, the browser uploader does not.

#3 @mdawaffe
13 years ago

This looks like a WebKit bug that we can't work around.

I have a file named z"d%22e.jpg.

Uploading from FF:

-----------------------------178448449274243042114807987
Content-Disposition: form-data; name="async-upload"; filename="z"d%22e.jpg"
Content-Type: image/jpeg

Uploading from Chrome:

------WebKitFormBoundaryAUCJ2qQRMOXB3IQL
Content-Disposition: form-data; name="async-upload"; filename="z%22d%22e.jpg"
Content-Type: image/jpeg

Chrome is clearly doing things wrong. FF works, but I would have thought the double quote should have been slashed.

@mdawaffe
13 years ago

PoC

#4 @mdawaffe
13 years ago

16191.diff is a Proof of Concept workaround for filenames with double quotes in them.

  1. Populate POST variable via JS with file's real name.
  2. Use wp_handle_upload_prefilter to fix the $_FILES item.

@mdawaffe
13 years ago

Cleanup, Docs

#5 @iseulde
11 years ago

  • Keywords changed from has-patch, dev-feedback to has-patch dev-feedback

This is still an issue after 3.5, image is now saved as %22Test%22.jpg, but is not found when trying to access is. Maybe remove the double quotes just like single quotes are removed (Test.jpg)?
See #22694.

#6 @mordauk
9 years ago

16226.patch on 16226 may resolve this.

#7 @desrosj
5 years ago

  • Keywords needs-testing good-first-bug added

#16226 was fixed in 4.4. Can someone test this to see if the behavior still persists?

#8 @donmhico
5 years ago

This is my first time to be involved so please be patient and guide me through. @desrosj

I wasn't able to replicate the problem but I noticed something when testing on different browsers.

I'm on macOS Mojave (10.14.5)

What I did: Uploaded an image with the name "512x512_RED."png via the Media Uploader and inside Gutenberg editor.

Browser: Google Chrome
Results:
File was uploaded with filename - 22512x512_RED.22png.png
Post title - 512x512_RED.png
post_meta_key (_wp_attached_file) - 22512x512_RED.22png.png
Renders properly inside a post.

Browser: Firefox
Results:
File was uploaded with filename - 512x512_RED.png.png
Post title - "512x512_RED."png
post_meta_key (_wp_attached_file) - 512x512_RED.png.png
Renders properly inside a post.

Browser: Microsoft Edge (Dev build for Mac)
Results:
File was uploaded with filename - 22512x512_RED.22png-2.png
Post title - 512x512_RED.png
post_meta_key (_wp_attached_file) - 22512x512_RED.22png-2.png
Renders properly inside a post.

Browser: Safari
Results:
File was uploaded with filename - 22512x512_RED.22png-4.png
Post title - 512x512_RED.png
post_meta_key (_wp_attached_file) - 22512x512_RED.22png-4.png
Renders properly inside a post.

How it saves in Firefox is different than the rest of the browsers. I'm not sure if it's something critical. But nonetheless, the image with double quotes in filename displays properly.

#9 @sncoker
4 years ago

At #WCUS Contributor Day. I can confirm @donmhico's observations.

The patch does not apply cleanly to the trunk.

Operating System: Mac OS Mojave

Browser: Firefox
Post Title: top_”bg_header”
Filename: top_bg_header.jpg
Image renders correctly on the attachment page.

Browser: Chrome
Post Title: top_bg_header
Filename: top_bg_header.jpg
Image renders correctly on the attachment page.

Browser: Safari
Post Title: top_bg_header
Filename: top_22bg_header22.jpg
Image renders correctly on the attachment page.

Note: See TracTickets for help on using tickets.