WordPress.org

Make WordPress Core

Opened 8 years ago

Closed 8 years ago

#4974 closed defect (bug) (fixed)

Invalid names generated for uploads with unknown extensions

Reported by: Nazgul Owned by: markjaquith
Milestone: 2.3 Priority: normal
Severity: normal Version: 2.3
Component: General Keywords: has-patch needs-testing dev-reviewed
Focuses: Cc:

Description

It is possible for someone with the unfiltered_upload capability to upload attachments with unknown extensions. There is a bug which generates the filename in that instance, which results in a file called test.phps to be uploades as testphps..phps.

This is caused by the extension guesing code leaving the . before the extension, which is added again later on, making a few replaces fail.

Attachments (1)

4974.diff (539 bytes) - added by Nazgul 8 years ago.

Download all attachments as: .zip

Change History (4)

@Nazgul8 years ago

comment:1 @markjaquith8 years ago

  • Keywords needs-testing dev-feedback added
  • Owner changed from anonymous to markjaquith
  • Status changed from new to assigned

Verified the issue, verified that the patch fixes it.

Verified that this patch doesn't allow users without unfiltered_upload to upload unknown attachment types.

Someone else take a look at it to make sure I didn't miss a "gotcha," and we can get this in.

comment:2 @westi8 years ago

  • Keywords dev-reviewed added; dev-feedback removed

+1 this looks sane to me and passes my standalone tests for it's logic.

comment:3 @markjaquith8 years ago

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [6116]) Properly name files with unknown extensions (for people with unfiltered_upload cap, natch). props Nazgul. fixes #4974 for trunk

Note: See TracTickets for help on using tickets.