[wp-trac] [WordPress Trac] #42437: Thumbnails can overwrite other uploads if filename matches

WordPress Trac noreply at wordpress.org
Tue May 15 21:59:13 UTC 2018 

#42437: Thumbnails can overwrite other uploads if filename matches
--------------------------+-----------------------------
 Reporter:  Viper007Bond  |       Owner:  (none)
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Future Release
Component:  Upload        |     Version:  4.8.3
 Severity:  normal        |  Resolution:
 Keywords:  needs-patch   |     Focuses:
--------------------------+-----------------------------

Comment (by pbiron):

 I bumped into the problem behind this ticket yesterday while debugging a
 func I wrote to hook into
 [[https://developer.wordpress.org/reference/hooks/attachment_url_to_postid/|attachment_url_to_postid]],
 in an attempt to get around the problem of
 [[https://developer.wordpress.org/reference/functions/attachment_url_to_postid/|attachment_url_to_postid()]]
 not finding the attachment ID if the URL is for an intermediate size of
 the upload (I starting writing that func since there has been no movement
 on #41816, my attempt to fix that problem...which I opened 8 mos ago).

 In particular, after uploading `foo.jpg`, I did
 {{{
 function my_attachment_url_to_postid_filter( $url ) {
     if ( $post_id ) {
         // attachment already found, so return it
         return $post_id;
     }

     // the following is simplified from my actual func, for clarity

     // strip any dimensions from the URL and try
 attachment_url_to_postid() again
     $modified_url = preg_replace( '/-\d+-\d+(?=\..*$)'/, '', $url );

     remove_filter( 'attachment_url_to_postid', __FUNCTION__, 10 );
     $post_Id = attachment_url_to_postid( $modified_url );
     add_filter( 'attachment_url_to_postid', __FUNCTION__, 10, 2 );

     return $post_id;
 }
 add_filter( 'attachment_url_to_postid',
 'my_attachment_url_to_postid_filter', 10, 2 );

 $id = attachment_url_to_postid( 'http://host/wp-content/uploads/foo.jpg'
 );
 $id_for_intermediate = attachment_url_to_postid( 'http://host/wp-
 content/uploads/foo-150x150.jpg' );
 // $id should now be === $id_for_intermediate
 }}}

 only to find out that `$id_for_intermediate` was the ID for a previously
 uploaded file named `foo-150x150.jpg`.  That is, the `if ( $post_id ) {}`
 test at the top of my filter func was succeeding because there was an
 unknown to me attachment with `_wp_attached_file` postmeta with
 `meta_value = 'foo-150x150.jpg'`) :-(

 So, in addition to the serious data loss issue of previous uploads being
 overwritten identified in this ticket, the name collision problems between
 original image filenames and generated intermediate size filenames can
 have other undesirable "downstream" effects.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/42437#comment:12>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list