#57242 closed enhancement (fixed)
Remove redundant dot in sanitize_file_name function
Reported by: | ArtZ91 | Owned by: | audrasjb |
---|---|---|---|
Milestone: | 6.2 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Formatting | Keywords: | has-patch has-unit-tests commit |
Focuses: | Cc: |
Description
Some web-servers returns Forbidden error if filename contains redundant dot, for example: filename..jpg
Maybe need to trim this dot inside sanitize_file_name.
Attachments (1)
Change History (18)
This ticket was mentioned in PR #3713 on WordPress/wordpress-develop by arthurshlain.
2 years ago
#1
- Keywords has-patch added
#2
@
2 years ago
- Keywords reporter-feedback added
Hi @ArtZ91, thanks for opening this ticket!
Can you provide any more information about why servers do this, for the benefit of others reading this ticket?
Also, a couple of questions:
- What happens if you replace the first dot with
%2E
? i.e.
https://example.org/wp-content/uploads/2022/12/test-fajl-s-kirilliczej%2E.png
- Does this also occur if the filename begins with
..
, or contains..
anywhere else? i.e.
https://example.org/wp-content/uploads/2022/12/..test-fajl-s-kirilliczej.png
Or
https://example.org/wp-content/uploads/2022/12/test-fajl-s-kiril..liczej.png
#3
@
2 years ago
I dont know about server thrid-party configuration.
Test 1:
test-fajl-s-kirilliczej%2E.png
→
/wp-content/uploads/2022/12/test-fajl-s-kirilliczej2e.png
200 OK
Test 2:
..test-fajl-s-kirilliczej.png
→
/wp-content/uploads/2022/12/test-fajl-s-kirilliczej.png
200 OK
Test 3:
/wp-content/uploads/2022/12/test-fajl-s-kiril..liczej.png
→
403 Forbidden
Looks like server has some strange protection from ..
double dot in URL.
#4
in reply to:
↑ description
@
2 years ago
- Keywords 2nd-opinion added; reporter-feedback removed
Hi there, welcome back to WordPress Trac! Thanks for the ticket.
Replying to ArtZ91:
Some web-servers returns Forbidden error if filename contains redundant dot, for example: filename..jpg
It sounds like ..
triggers some security rule on the server, e.g. to prevent directory traversal. This appears to be similar to #45368, although that ticket is about ..
in post content.
Applying rtrim( $filename, '.' )
before appending the extension probably makes sense. On the other hand, as noted above, that does not fix the issue if ..
is in the middle of the file name.
So I'm not quite sure about this change, curious to see what others think.
#5
follow-up:
↓ 6
@
2 years ago
We could:
- Replace all instances of
..
(or more) with.
(or-
, etc) - Apply
rtrim( $filename, '.' )
. - Append the extension.
#6
in reply to:
↑ 5
@
2 years ago
- Keywords needs-patch added; has-patch 2nd-opinion removed
- Milestone changed from Awaiting Review to 6.2
Replying to costdev:
We could:
- Replace all instances of
..
(or more) with.
(or-
, etc)- Apply
rtrim( $filename, '.' )
.- Append the extension.
Thanks! That makes sense to me. Seems similar to what sanitize_title_with_dashes() does:
- It replaces all
.
characters with-
:$title = str_replace( '.', '-', $title );
- Then it replaces multiple instances with a single one:
$title = preg_replace( '|-+|', '-', $title );
- Then removes leading and trailing instances:
$title = trim( $title, '-' );
It looks like sanitize_file_name()
already does steps 2 and 3, though perhaps too early, before the file name is separated from the extension.
So it might be a good idea to apply these steps to file names too.
#7
@
2 years ago
Thanks @SergeyBiryukov!
After taking a closer look at sanitize_file_name()
, this might be a little tricky.
Where steps 2 and 3 are performed, $filename
may still include one/more extensions. So replacing consecutive .
with -
could result in filename-png
.
I'm thinking if we replace consecutive .
with a single .
, that could work.
It means that ...file....name...png...
would become .file.name.png.
, then the trim()
you already pointed out would change this to file.name.png
Note: In reality, sanitize_file_name()
actually produces file.name_.png
- I believe the _
is added here, for some reason.
With the above regex, my test datasets pass, and the only failure I get for an existing test is:
Tests_Functions::test_wp_unique_filename
- "Failed crazy file name"
- Expected:
'12af34567890@..^_qwerty-fghjkl-zx.png'
- Actual:
'12af34567890@.^_qwerty-fghjkl-zx.png'
Which I think we could live with. 😅
I'll push up a PR for review along with the above, and leave the existing test failure in place as a reference.
This ticket was mentioned in PR #3723 on WordPress/wordpress-develop by @costdev.
2 years ago
#8
- Keywords has-patch has-unit-tests added; needs-patch removed
On some servers, consecutive periods in a filename can cause a 403 Forbidden response.
This change replaces consecutive periods with a single period.
Trac ticket: https://core.trac.wordpress.org/ticket/57242
arthurshlain commented on PR #3713:
2 years ago
#9
@mukesh27 commented on PR #3723:
2 years ago
#10
@costdev The unit tests fail, which must be fixed.
2 years ago
#11
@mukeshpanchal27 See the PR's description:
This PR has an expected test failure in Tests_Functions::test_wp_unique_filename(). If this PR's approach is supported, I'll update the failing test to facilitate this change in Core.
I'm keeping the test failure so that reviewers of this approach see that an existing test will need to change to facilitate this.
@mukesh27 commented on PR #3723:
2 years ago
#12
Thanks @costdev
This ticket was mentioned in Slack in #core by costdev. View the logs.
23 months ago
This ticket was mentioned in Slack in #core by costdev. View the logs.
22 months ago
#16
@
22 months ago
- Owner set to audrasjb
- Resolution set to fixed
- Status changed from new to closed
In 55209:
@audrasjb commented on PR #3723:
22 months ago
#17
Committed in https://core.trac.wordpress.org/changeset/55209
Some web-servers returns Forbidden error if filename contains redundant dot, like
filename..jpg
.Trac ticket: https://core.trac.wordpress.org/ticket/57242