#16226 closed defect (bug) (fixed)
Attachment URL filenames are not urlencoded
Reported by: | mdawaffe | Owned by: | wonderboymusic |
---|---|---|---|
Milestone: | 4.4 | Priority: | normal |
Severity: | normal | Version: | 3.1 |
Component: | Upload | Keywords: | has-patch |
Focuses: | Cc: |
Description
In looking at #16191, I discovered a related bug.
Upload a file called a%22b.jpg
. The file will be stored on the filesystem as a%22b.jpg
, but the resulting attachment URL will be http://example.com/wp-content/uploads/2011/01/a%22b.jpg, which will point to a file named a"b.jpg
.
Attachments (5)
Change History (27)
#2
@
14 years ago
- Keywords has-patch added; needs-patch removed
%
should be added to the list of special characters. Browsers will treat it (and what follows) as a urlencoded entity, which means you will never be able to access the saved file.
#3
follow-up:
↓ 4
@
14 years ago
shouldn't % be encoded to %25 instead? ie. the filename should be urlencoded.
#4
in reply to:
↑ 3
@
14 years ago
Replying to dd32:
shouldn't % be encoded to %25 instead? ie. the filename should be urlencoded.
The difficulty is urlencoding only the filename portion... we can't urlencode the whole url. And we can't do the encoding in sanitize_file_name()
because that is used in other non-URL contexts. Is there some other place where it can be done?
#5
@
14 years ago
See the attached patch, it's a rough patch, but seems to work in the few test cases i've got here. I've not tested it against international characters, nor have i tested it against "store uploads in year/month folders" being disabled (which will probably break this patch)
#6
@
13 years ago
Similar to this:
Upload a file called a+b.jpg. The file will be stored on the filesystem as a+b.jpg, but the resulting attachment URL will be "http://example.com/wp-content/uploads/2011/04/a+b.jpg", which will point to a file named "a b.jpg" wich does not exist.
The plus sign translates to a space in an urlencoded string. 16226.2.diff will probably solve this as well, but not patch 16226.diff.
#7
@
13 years ago
- Keywords dev-feedback added
- Version changed from 3.1 to 3.2
It seems to me that the simplest thing to do for these edge cases (albeit that I've just had a real user complaining about a file with a "+" in the filename not uploading) is to strip "+" and "%" in the sanitise_file_name
function. I'm attaching a patch which does just this.
#9
@
13 years ago
- Version changed from 3.2 to 3.1
The Version field is used to track the first version in which a issue is identified in, You can assume that any version between Version and Milestone will be affected by the ticket, so no need to update it to the current branch.
#11
@
13 years ago
- Cc jonathan.addleman@… added
I just noticed another similar bug - I uploaded some files with spaces,
#14
@
10 years ago
- Resolution duplicate deleted
- Status changed from closed to reopened
Why hasn't this been implemented?
I'm running into issues importing images that had a % in their URL.. Simply adding it to the $special_chars fixed the problem, but I'm wondering why this hasn't made it into core... does this cause other conflicts?
#15
@
10 years ago
16226.patch is a refreshed patch that applies cleanly.
16226-tests.patch refreshes unit tests so they pass properly.
The only issue I see with this is that encoded spaces and other characters (such as %20
) get their %
removed but leave the rest. This means that multi %20 +space.png
becomes multi-20-space.png
.
#17
@
9 years ago
If someone is looking to address this issue temporarily while waiting on the patch to get integrated, and happen to sit on a server, like Flywheel, that doesn't let you edit wp-includes.... You can simply add this to your theme's functions.php file
add_filter ('sanitize_file_name', 'remove_percents_filter', 10 ); function remove_percents_filter( $filename ) { $filename = str_replace( '%', '', $filename ); return $filename; }
Possibly related: #15955