WordPress.org

Make WordPress Core

Opened 3 years ago

Last modified 3 months ago

#22694 reopened defect (bug)

Can't upload a file with an apostrophe in name

Reported by: ianatkins Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 3.4.2
Component: Media Keywords:
Focuses: Cc:

Description

When uploading a file with an apostrophe in the filename wordpress returns a 'HTTP Error' message.

I have replicated this on two separate installs of wordpress, on different LAMP hosting environments.

The filename used for testing was Trend_Forecaster's_Handbook_1.jpg

Change History (27)

comment:1 @dd323 years ago

#22695 was marked as a duplicate.

comment:2 follow-up: @pavelevap3 years ago

Tested in trunk and file is uploaded, but name is crippled: "s_Handbook_1.jpg"

comment:3 in reply to: ↑ 2 @SergeyBiryukov3 years ago

Replying to pavelevap:

Tested in trunk and file is uploaded, but name is crippled: "s_Handbook_1.jpg"

Confirmed. Not a new bug though, tested 2.0.11 and it's the same there.

This is what $_FILES looks like:

Array
(
    [async-upload] => Array
        (
            [name] => s_Handbook_1.jpg
            [type] => image/jpeg
            [tmp_name] => S:\tmp\phpCB2.tmp
            [error] => 0
            [size] => 16658
        )

)

Appears to be a PHP bug: https://bugs.php.net/bug.php?id=31398

comment:4 @SergeyBiryukov3 years ago

The workaround is to disable magic_quotes_gpc.

comment:5 @ianatkins3 years ago

Thanks for investigating Sergey. Is it possible to catch this earlier and throw a more useful error message to the end user?

comment:6 @iseulde2 years ago

  • Resolution set to worksforme
  • Status changed from new to closed

Works in new media uploader.

comment:7 @helen2 years ago

  • Milestone Awaiting Review deleted

comment:8 in reply to: ↑ description @sfoxe18 months ago

  • Resolution worksforme deleted
  • Status changed from closed to reopened

I just encountered this bug using Wordpress 3.8.1, and uploading a file with an apostrophe in the filename. Removing the apostrophe allowed the file to be uploaded.

Has this bug crept back into the codebase somehow??

Replying to ianatkins:

When uploading a file with an apostrophe in the filename wordpress returns a 'HTTP Error' message.

I have replicated this on two separate installs of wordpress, on different LAMP hosting environments.

The filename used for testing was Trend_Forecaster's_Handbook_1.jpg

comment:9 @Ipstenu18 months ago

I can duplicate this one, ran into it on a clean 3.8.1 with very little else :(

magic_quotes_gpc is off (verified it). PHP 5.4.24

comment:10 @UmeshSingla17 months ago

With PHP 5.5.8-3 and Wordpress 3.8.1, I never get that issue, while uploading file to media library. Filename is proper with ' being removed from it. Also there is no 'magic_quotes_gpc()' after PHP 5.4
ref: http://in1.php.net/get_magic_quotes_gpc

Last edited 17 months ago by UmeshSingla (previous) (diff)

comment:11 @SergeyBiryukov17 months ago

  • Milestone set to Awaiting Review

I can still reproduce the truncated filename from comment:3 in PHP 5.2.17 and PHP 5.3.28 with magic_quotes_gpc on, but not in PHP 5.4.26. Not sure if we can do anything here.

I could not reproduce the "HTTP error" message though.

comment:12 @jamesmehorter15 months ago

I can also confirm this issue while using WP 3.9 and PHP 5.3.27 with magic_quotes_gpc disabled. Uploading a file with a single-quote in the filename results in 'HTTP Error'. Simply removing the quote corrects the issue.

I personally don't need the quote in the filename if WP could somehow remove it.

comment:13 @jana@…15 months ago

How difficult would it be to make the error read "remove apostrophe from file name and reload"? (No snark intended; honest question.)

comment:14 @Ipstenu15 months ago

I still get the httpd error message with PHP 5.4.x and 3.9

Even just a flag "Invalid Filename" would be friendlier.

comment:15 follow-up: @ericlewis15 months ago

@ipsentu can you provide clear steps to reproduce the httpd error message?

comment:16 in reply to: ↑ 15 @Ipstenu15 months ago

Replying to ericlewis:

@ipsentu can you provide clear steps to reproduce the httpd error message?

1) Create a file with a non a-z/0-9 character in it's name (example: Thisain'tsparta.jpg)

2) Upload the image via any method (in post, drag and drop, select to upload)

3) Get error.

It really is that simple.

comment:17 @ericlewis15 months ago

Ah, finally reproduced, thanks @Ipstenu.

If the single or double quote is inside the filename, it makes it through. Only if the string ends in a single or double quote can I reproduce.

comment:18 @ericlewis15 months ago

  • Summary changed from Uploading File with Apostrophe in filename to Can't upload a file ending in an apostrophe
Last edited 15 months ago by ericlewis (previous) (diff)

comment:19 @SergeyBiryukov14 months ago

#28384 was marked as a duplicate.

comment:20 @SergeyBiryukov14 months ago

  • Summary changed from Can't upload a file ending in an apostrophe to Can't upload a file with an apostrophe in name

Looks like this happens with an apostrophe in the middle of the filename too.

comment:21 in reply to: ↑ description @harpercl9 months ago

Just had this happen to me in 4.0. Apostrophe in the middle of the filename. async-upload.php returned 404 when uploading.

comment:22 @kpdesign9 months ago

#30253 was marked as a duplicate.

comment:23 @juiceboxint9 months ago

I just came across this issue in WP 4.0, PHP 5.4.34, magic_quotes_gpc = off. The file was a PDF and the apostrophe was in the middle of the filename.

comment:24 @slackbot8 months ago

This ticket was mentioned in Slack in #core by bobbingwide. View the logs.

comment:25 @bobbingwide8 months ago

Just want to point out the following:

  1. Windows doesn't allow file names with the following characters \ / : * ? " < > |
  2. It would appear that the PHP problem has been fixed
  3. Also that the magic_quotes_gpc workaround won't apply with PHP 5.4 and above.

The new workaround would be to upgrade to PHP 5.5 or higher...

I believe this is inline with the vision.

Shouldn't this be changed to wontfix?

comment:26 @wonderboymusic5 months ago

#30853 was marked as a duplicate.

comment:27 @interfaSys3 months ago

To the people still experiencing this issue. Make sure you check your mod_security (or any other IDS) logs. Because of the apostrophe, the system may think you're uploading malicious code.

Note: See TracTickets for help on using tickets.