Make WordPress Core

Opened 3 years ago

Last modified 8 months ago

#54190 new defect (bug)

sanitize_file_name disallows acute accents and left smart apostrophe

Reported by: jdorner's profile jdorner Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version: 5.5
Component: Media Keywords: dev-feedback needs-testing-info
Focuses: Cc:

Description (last modified by sabernhardt)

The following change to line 1991 of wp-includes/formatting.php will disallow acute accents and left smart apostrophe in file names

$special_chars = array( '?', '[', ']', '/', '\\', '=', '<', '>', ':', ';', ',', "'", '"', '&', '$', '#', '*', '(', ')', '|', '~', '`', '´', '!', '{', '}', '%', '+', 'ʻ','’', '«', '»', '”', '“', chr( 0 ) );

Attachments (1)

test´filename.txt (2.7 KB) - added by jdorner 3 years ago.
file with acute accent in the filename - unable to upload to media library

Download all attachments as: .zip

Change History (22)

#1 @jdorner
3 years ago

After further review, should all extended ASCII codes (character code 128-255) be excluded or are these valid in a URL?

#2 @hellofromTonya
3 years ago

  • Component changed from General to Media
  • Summary changed from sanitize_file_name allows acute accents and left smart apostrophe to sanitize_file_name disallows acute accents and left smart apostrophe
  • Version changed from 5.8.1 to 5.5

Hello @jdorner,

Welcome to WordPress Core's Trac! Thank you for reporting this.

Adding contextual information:
This change was introduced in changeset [48596] for ticket #50231 in the 5.5 release as part of the Media component. Updated ticket information.

This ticket was mentioned in Slack in #core-test by hellofromtonya. View the logs.


3 years ago

#4 @justinahinon
3 years ago

  • Keywords dev-feedback added

Thanks for opening the ticket @jdorner.

I think we might need some additional information from the media team about the policy for filenames.

Adding a keyword and pinging a component maintainer.
cc @mikeschroder

#5 @mai21
3 years ago

  • Keywords reporter-feedback needs-testing-info added

@jdorner Can you please provide a use case or step-by-step instructions on how to reproduce the issue?

Thanks

#6 @sabernhardt
3 years ago

  • Description modified (diff)

@jdorner
3 years ago

file with acute accent in the filename - unable to upload to media library

#7 @lukefiretoss
2 years ago

Post-processing of the image failed likely because the server is busy or does not have enough resources. Uploading a smaller image may help. Suggested maximum size is 2500 pixels.

Is the message that shows in the media library if an image is being uploaded that contains an apostrophe in the file name.

This ticket was mentioned in Slack in #core-media by antpb. View the logs.


15 months ago

#9 @antpb
15 months ago

  • Milestone changed from Awaiting Review to 6.3

Moving to 6.3 to investigate if this is still valid and what needs to happen.

This ticket was mentioned in Slack in #core-media by antpb. View the logs.


11 months ago

This ticket was mentioned in Slack in #core by mukeshpanchal27. View the logs.


11 months ago

#12 @mukesh27
11 months ago

  • Milestone changed from 6.3 to 6.4

This ticket was discussed during bug scrub.

@antpb Have you investigated the issue? lack of details moving to 6.4

Additional props to @oglekler

#13 @Presskopp
11 months ago

Am I missing something? I can upload any file (.txt, .png) having the name "test´filename"

This ticket was mentioned in Slack in #core-media by antpb. View the logs.


9 months ago

#15 @antpb
9 months ago

Hi @jdorner ! Thanks so much for this report. There have been two confirmed instances of folks able to upload the test file. Any chance you can reproduce it still? If fixed let us know and we'll close this ticket out. Thanks again!

#16 @jdorner
9 months ago

  • Keywords reporter-feedback removed

I can upload the file.

It appears that sanitize_file_name is working correctly now - so I believe this issue is resolved.

However, when uploading a file with a left smart apostrophe the file is stored as: "test´filename.txt". The character is not getting removed.

Is the filename not sanitized using sanitize_file_name before saving?

Thanks!

Last edited 9 months ago by jdorner (previous) (diff)

#17 @Presskopp
9 months ago

sanitize_file_name() claims:

"not to guarantee that this function will return a filename that is allowed to be uploaded."

So it is not complete 'by design'.

But let's think about adding some more chars like in:

$special_chars = array(
        '?', '[', ']', '/', '\\', '=', '<', '>', ':', ';', ',', "'", '"', '&', '$',
        '#', '*', '(', ')', '|', '~', '`', '!', '{', '}', '%', '+', '’', '«', '»',
        '”', '“', chr( 0 ), '´', '^', '@', '%', '&', '*', '+', '=', '|', '{', '}',
        '(', ')', '[', ']', '<', '>', ',', ':', ';', '"', '\'', '~', '`', '#', '$',
        '£', '€', '¥', '¦', '§', '¨', '©', 'ª', '¬', '®', '¯', '°', '±', '²', '³',
        'µ', '¶', '·', '¸', '¹', 'º', '¼', '½', '¾', '¿', '×', '÷'
);

#18 @nicolefurlan
8 months ago

@antpb RC1 for 6.4 is in ~2 weeks so I'm checking up on tickets in the milestone. What do you think about this ticket?

Should we add more characters to sanitize_file_name() as suggested in #comment:17? Should we do more testing to make sure the original issue is definitely resolved?

This ticket was mentioned in Slack in #core-media by antpb. View the logs.


8 months ago

#20 @antpb
8 months ago

  • Milestone changed from 6.4 to Awaiting Review

Hi @Presskopp ! Thanks for the suggestion there, I want to close this issue to keep it focused on the reported problem as this is slated for 6.4 but with the initial reported issue being resolved I'd like to clos or rename and write a new description for to include the ones you mentioned in your comment.

Which of those characters are new and would be added? Moving to Awaiting Review to keep the milestone true.

#21 @Presskopp
8 months ago

Hi @antpb , I'm not sure if I get you right. This is the function as of today:

$special_chars = array( '?', '[', ']', '/', '\\', '=', '<', '>', ':', ';', ',', "'", '"', '&', '$', '#', '*', '(', ')', '|', '~', '`', '!', '{', '}', '%', '+', '’', '«', '»', '”', '“', chr( 0 ) );

and I just added

'´', '^', '@', '%', '&', '*', '+', '=', '|', '{', '}','(', ')', '[', ']', '<', '>', ',', ':', ';','"', '\'', '~', '`', '#', '$','£', '€', '¥', '¦', '§', '¨', '©', 'ª', '¬', '®', '¯', '°', '±', '²', '³','µ', '¶', '·', '¸', '¹', 'º', '¼', '½', '¾', '¿', '×', '÷'

But I don't claim that addition to be complete.

Note: See TracTickets for help on using tickets.