Make WordPress Core

Opened 5 years ago

Closed 4 years ago

#17038 closed defect (bug) (fixed)

Plugin & theme editors should URL encode file names

Reported by: kawauso Owned by: ryan
Milestone: 3.2 Priority: normal
Severity: normal Version: 3.1
Component: Administration Keywords: has-patch needs-testing
Focuses: Cc:


Steps to reproduce:

  1. Name a file: foo&bar.php
  2. Try editing the file in the editor

The plugin editor dropdown can also be broken with a file name containing a HTML entity.

Attachments (2)

17038.diff (2.1 KB) - added by kawauso 5 years ago.
URL encode filenames in URLs
17038.2.diff (2.0 KB) - added by kawauso 5 years ago.
No extra whitespace

Download all attachments as: .zip

Change History (10)

#1 @kawauso
5 years ago

Related: #13377

5 years ago

URL encode filenames in URLs

#2 @kawauso
5 years ago

Patch addresses URL encoding, but doesn't address encoding to deal with HTML entities in file names being displayed.

#3 @scribu
5 years ago

  • Keywords has-patch added
  • Milestone changed from Awaiting Review to 3.2

#4 @azaozz
5 years ago

  • Keywords close added
  • Type changed from defect (bug) to enhancement

The patch seems good however in principle I'm -1. Generally plugins and themes are (parts of) software. I think plugin and theme authors can afford to use plain ASCII for the filenames of their software. That also closes the door for some (unlikely) incompatibility with some server operating systems.

#5 @scribu
5 years ago

  • Keywords close removed

End user: Look, I can select this weirdly named file to edit it. Click. "File not found"?? Stupid WP.

We should either allow the user to edit the file or not show it at all.

5 years ago

No extra whitespace

#6 @dd32
5 years ago

  • Keywords needs-testing added
  • Type changed from enhancement to defect (bug)

I agree with scribu here, If the file is valid on the system, we should allow it to be used, to prevent url issues, encoding it seems the sane thing to do.

Patch looks fine, but haven't tested it.

#7 @studionashvegas
5 years ago

Before Patch: tested (with same filename as above) and was able to reproduce with same error.
After Patch: able to edit file - patch applies clean

#8 @ryan
4 years ago

  • Owner set to ryan
  • Resolution set to fixed
  • Status changed from new to closed

In [18094]:

url_encode file names in theme and plugin editor urls. Props kawauso. fixes #17038

Note: See TracTickets for help on using tickets.