[wp-trac] Re: [WordPress Trac] #9416: Better file name sanitization
for wp_unique_filename
WordPress Trac
wp-trac at lists.automattic.com
Mon Apr 20 23:58:28 GMT 2009
#9416: Better file name sanitization for wp_unique_filename
-------------------------+--------------------------------------------------
Reporter: sivel | Owner: sivel
Type: enhancement | Status: assigned
Priority: normal | Milestone: 2.8
Component: Upload | Version: 2.7.1
Severity: normal | Keywords: needs-patch
-------------------------+--------------------------------------------------
Comment(by Denis-de-Bernardy):
@Sivle: Granted. But there isn't any need need to sanitize beyond that.
For what it's worth, I've a (heavily used) plugin that deals with file
names to name podcasts, and the only sanitization I did was to remove
(forward- and back-) slash characters. The rest (including forbidden
characters) I found were irrelevant in practice, since they get escaped by
file_exists() et al anyway. So basically, really isn't any issue I can
think of that should disallow the likes of:
{{{
$file_name = 'foo%&#$?\|\'"~!@*bar.mp3';
}}}
as long as it gets urlencoded, it not only works fine in flv players
(which are messy in their own right), but also works fine in the browser
without the slightest (baring php bugs of course) security problem.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/9416#comment:11>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list