Make WordPress Core

Opened 3 years ago

Last modified 11 months ago

#16191 reopened defect (bug)

Uploaded files with quote marks in the filename are undisplayable in MS

Reported by: simonwheatley Owned by:
Milestone: Future Release Priority: normal
Severity: normal Version:
Component: Upload Keywords: has-patch dev-feedback
Focuses: Cc:


If you upload a file with quote marks in the filename, e.g. "Test".jpg, WordPress records the filename as %22test%22.jpg but the file is called "Test".jpg (on 'nix-like systems anyway) so is undisplayable.

I'm unsure about the implications (security and otherwise) of my suggested patch (attached), so please give feedback. (I guess the other approach would be to retain the url-encoded characters and ensure that the file is named with the URL encoded version of the filename.)

Attachments (3)

handle urlencoded characters.diff (960 bytes) - added by simonwheatley 3 years ago.
URLDecode characters before saving to WP meta data
16191.diff (2.1 KB) - added by mdawaffe 3 years ago.
16191.2.diff (2.9 KB) - added by mdawaffe 3 years ago.
Cleanup, Docs

Download all attachments as: .zip

Change History (8)

simonwheatley3 years ago

URLDecode characters before saving to WP meta data

comment:1 mdawaffe3 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to worksforme
  • Status changed from new to closed

sanitize_file_name() should be stripping quote marks, and works for me.

Please reopen with more details. What browser, what OS, what server OS, PHP version, etc.?

comment:2 mdawaffe3 years ago

  • Milestone set to Future Release
  • Resolution worksforme deleted
  • Status changed from closed to reopened

markjaquith just repro'd. Flash uploader works fine, the browser uploader does not.

comment:3 mdawaffe3 years ago

This looks like a WebKit bug that we can't work around.

I have a file named z"d%22e.jpg.

Uploading from FF:

Content-Disposition: form-data; name="async-upload"; filename="z"d%22e.jpg"
Content-Type: image/jpeg

Uploading from Chrome:

Content-Disposition: form-data; name="async-upload"; filename="z%22d%22e.jpg"
Content-Type: image/jpeg

Chrome is clearly doing things wrong. FF works, but I would have thought the double quote should have been slashed.

mdawaffe3 years ago


comment:4 mdawaffe3 years ago

16191.diff is a Proof of Concept workaround for filenames with double quotes in them.

  1. Populate POST variable via JS with file's real name.
  2. Use wp_handle_upload_prefilter to fix the $_FILES item.

mdawaffe3 years ago

Cleanup, Docs

comment:5 avryl11 months ago

  • Keywords changed from has-patch, dev-feedback to has-patch dev-feedback

This is still an issue after 3.5, image is now saved as %22Test%22.jpg, but is not found when trying to access is. Maybe remove the double quotes just like single quotes are removed (Test.jpg)?
See #22694.

Note: See TracTickets for help on using tickets.