sanitize_file_name disallows acute accents and left smart apostrophe

[jdorner]

The following change to line 1991 of wp-includes/formatting.php will disallow acute accents and left smart apostrophe in file names

$special_chars = array( '?', '[', ']', '/', '\\', '=', '<', '>', ':', ';', ',', "'", '"', '&', '$', '#', '*', '(', ')', '|', '~', '`', '´', '!', '{', '}', '%', '+', 'ʻ','’', '«', '»', '”', '“', chr( 0 ) );

[jdorner]

After further review, should all extended ASCII codes (character code 128-255) be excluded or are these valid in a URL?

[hellofromTonya]

Hello @jdorner,

Welcome to WordPress Core's Trac! Thank you for reporting this.

Adding contextual information:
This change was introduced in changeset [48596] for ticket #50231 in the 5.5 release as part of the Media component. Updated ticket information.

[justinahinon]

Thanks for opening the ticket @jdorner.

I think we might need some additional information from the media team about the policy for filenames.

Adding a keyword and pinging a component maintainer.
cc @mikeschroder

[mai21]

@jdorner Can you please provide a use case or step-by-step instructions on how to reproduce the issue?

Thanks

[jdorner]

file with acute accent in the filename - unable to upload to media library

[lukefiretoss]

Post-processing of the image failed likely because the server is busy or does not have enough resources. Uploading a smaller image may help. Suggested maximum size is 2500 pixels.

Is the message that shows in the media library if an image is being uploaded that contains an apostrophe in the file name.

[antpb]

Moving to 6.3 to investigate if this is still valid and what needs to happen.

[mukesh27]

This ticket was discussed during bug scrub.

@antpb Have you investigated the issue? lack of details moving to 6.4

Additional props to @oglekler

[Presskopp]

Am I missing something? I can upload any file (.txt, .png) having the name "test´filename"

[antpb]

Hi @jdorner ! Thanks so much for this report. There have been two confirmed instances of folks able to upload the test file. Any chance you can reproduce it still? If fixed let us know and we'll close this ticket out. Thanks again!

[jdorner]

I can upload the file.

It appears that sanitize_file_name is working correctly now - so I believe this issue is resolved.

However, when uploading a file with a left smart apostrophe the file is stored as: "test´filename.txt". The character is not getting removed.

Is the filename not sanitized using sanitize_file_name before saving?

Thanks!

[Presskopp]

sanitize_file_name() claims:

"not to guarantee that this function will return a filename that is allowed to be uploaded."

So it is not complete 'by design'.

But let's think about adding some more chars like in:

$special_chars = array(
        '?', '[', ']', '/', '\\', '=', '<', '>', ':', ';', ',', "'", '"', '&', '$',
        '#', '*', '(', ')', '|', '~', '`', '!', '{', '}', '%', '+', '’', '«', '»',
        '”', '“', chr( 0 ), '´', '^', '@', '%', '&', '*', '+', '=', '|', '{', '}',
        '(', ')', '[', ']', '<', '>', ',', ':', ';', '"', '\'', '~', '`', '#', '$',
        '£', '€', '¥', '¦', '§', '¨', '©', 'ª', '¬', '®', '¯', '°', '±', '²', '³',
        'µ', '¶', '·', '¸', '¹', 'º', '¼', '½', '¾', '¿', '×', '÷'
);

[nicolefurlan]

@antpb RC1 for 6.4 is in ~2 weeks so I'm checking up on tickets in the milestone. What do you think about this ticket?

Should we add more characters to sanitize_file_name() as suggested in #comment:17? Should we do more testing to make sure the original issue is definitely resolved?

[antpb]

Hi @Presskopp ! Thanks for the suggestion there, I want to close this issue to keep it focused on the reported problem as this is slated for 6.4 but with the initial reported issue being resolved I'd like to clos or rename and write a new description for to include the ones you mentioned in your comment.

Which of those characters are new and would be added? Moving to Awaiting Review to keep the milestone true.

[Presskopp]

Hi @antpb , I'm not sure if I get you right. This is the function as of today:

$special_chars = array( '?', '[', ']', '/', '\\', '=', '<', '>', ':', ';', ',', "'", '"', '&', '$', '#', '*', '(', ')', '|', '~', '`', '!', '{', '}', '%', '+', '’', '«', '»', '”', '“', chr( 0 ) );

and I just added

'´', '^', '@', '%', '&', '*', '+', '=', '|', '{', '}','(', ')', '[', ']', '<', '>', ',', ':', ';','"', '\'', '~', '`', '#', '$','£', '€', '¥', '¦', '§', '¨', '©', 'ª', '¬', '®', '¯', '°', '±', '²', '³','µ', '¶', '·', '¸', '¹', 'º', '¼', '½', '¾', '¿', '×', '÷'

But I don't claim that addition to be complete.