Make WordPress Core

Opened 15 years ago

Closed 14 years ago

Last modified 10 years ago

#2994 closed defect (bug) (fixed)

Theme files cannot be edited when theme's directory has certain characters in it

Reported by: trasnam Owned by: ryan
Milestone: Priority: high
Severity: normal Version: 2.0.4
Component: Administration Keywords: theme editor bracket parenthesis spaces braces has-patch
Focuses: Cc:


Theme files cannot be edited when the theme name contains brackets in the directory name. (For example themename[modification] .)

After the upgrade to 2.0.4, I noticed I can no longer edit any theme files. I get the error, "Sorry, that file cannot be edited." when I hit "Update File" on the theme-editor.php page for any arbitrary file. This also occurs in 2.1 Alpha 2, but does not occur in 2.0.3. Therefore, I believe it is a regression.

After doing some debugging, I noticed that the value for the file I am editing is not the same in both $files and $allowed_files in admin-functions.php (only upon form submission, however). The value in $files has the brackets stripped out, whereas the value in $allowed_files doesn't have the brackets stripped out.

As a result of this, the function validate_file returns a 3, which in turn makes the function validate_file_to_edit return the "Sorry, that file cannot be edited." message.

I haven't yet figured out what causes the brackets to get stripped out, and as such I have renamed the theme directory as a temporary workaround.

I have no problem renaming the directory as a permanent fix, but I think the code should at least check for the brackets and tell the user to give the directory another name. If not, it should handle the bracket just like any other text character without stripping it out.

See this thread for more information:


Attachments (1)

2994.diff (521 bytes) - added by Nazgul 15 years ago.

Download all attachments as: .zip

Change History (19)

#1 @trasnam
15 years ago

As a note, I found out where the problem lies.

Some code in wp-includes/pluggable-functions.php is the culprit.

Starting on line 264 of the file, this code is what trips up the problem I'm having:

$location = preg_replace('|[^a-z0-9-~+_.?#=&;,/:%]|i', '', $location);

$strip = array('%0d', '%0a');
$location = str_replace($strip, '', $location);

If the code from 2.0.3 is substituted, the code works as expected. Basically, replace those three lines of code with this one:

$location = str_replace( array("\n", "\r"), '', $location);

However, I think the code added to 2.0.4 was put there for a reason, so I doubt just putting back in the 2.0.3 code is a desired remedy.

#2 @trasnam
15 years ago

  • Keywords parenthesis spaces braces added

As another update, this issue not only affects brackets. It also affects characters like parenthesis, spaces, and braces, for instance. This can easily be seen by looking at the preg_replace line.

I'm not sure how modifying that line would affect things with the IIS issue it is meant to solve though, since I'm not at all familiar with it.

Perhaps someone more familiar with this part of the code can provide some insight.

Since this affects more directory names than just ones with brackets in them, I am moving up the priority of this ticket to High.

(Also, it's not really important, but in my original post, I meant $file (not $files) as the variable I was talking about.)

#3 @trasnam
15 years ago

  • Priority changed from normal to high

#4 @trasnam
15 years ago

  • Summary changed from Theme files cannot be edited when theme's directory has brackets in it to Theme files cannot be edited when theme's directory has certain characters in it

#5 @ryan
15 years ago

  • Owner changed from anonymous to ryan

#6 @foolswisdom
15 years ago

  • Milestone set to 2.1

15 years ago

#7 @Nazgul
15 years ago

  • Keywords has-patch added

Added a few extra characters to the regex and made a patch for this.

I left out spaces as mentioned by the ticket reporter, because I think spaces shouldn't be allowed in path and file names on the web.

#8 @masquerade
15 years ago

Spaces and other characters are perfectly legal in filenames both on and off the web. I don't see why we should leave them out.

#9 @ryan
15 years ago

  • Milestone changed from 2.1 to 2.0.5

Nominating for 2.0.5. Keep in mind that this preg_replace is meant to prevent CRLF injection and other baddies, so we need to make sure we don't compromise security. Hmm, perhaps we should switch to POST.

#10 @ryan
15 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [4268]) Do only the minimum sanitization on the URL redirect. fixes #2994

#11 @ryan
15 years ago

(In [4269]) Do only the minimum sanitization on the URL redirect. fixes #2994

#12 @ryan
15 years ago

Instead of modifying wp_redirect(), let's go the more conservative route for 2.0.5 and modify theme-editor.php. I changed it to strip CRLF and nulls pass everything else through. Any other badness should be caught with the allowed_files check. We can reconsider what to do with wp_redirect() in 2.1.

#13 @(none)
15 years ago

  • Milestone 2.0.5 deleted

Milestone 2.0.5 deleted

#14 in reply to: ↑ description @leonessa
14 years ago

  • Resolution fixed deleted
  • Status changed from closed to reopened

Please, please help! I am VERY new to Word Press or php. I keep getting the "THAT FILE CAN NOT BE EDITED" every time I try to access the theme editor. I am trying to build this site for a non-profit that NEED to have this going as soon as possible, we're trying to pay off a building and are under pressure to make this happen. PLEASE help! I read some help files, and this seems to be a common problem, but I can not for the life of me understand what to do about fixing it. PLEASE HELP!

#15 @xknown
14 years ago

  • Resolution set to invalid
  • Status changed from reopened to closed

#16 @darkdragon
14 years ago

  • Resolution invalid deleted
  • Status changed from closed to reopened

#17 @darkdragon
14 years ago

  • Resolution set to fixed
  • Status changed from reopened to closed

#18 @nacin
10 years ago

In [20314]:

urldecode() the incoming $file in the theme editor. see [20313] when the encode was added. see #2994 for the original bug report. see #20103.

Note: See TracTickets for help on using tickets.