[wp-trac] Re: [WordPress Trac] #9416: Better file name sanitization
for wp_unique_filename
WordPress Trac
wp-trac at lists.automattic.com
Tue Apr 21 00:06:26 GMT 2009
#9416: Better file name sanitization for wp_unique_filename
-------------------------+--------------------------------------------------
Reporter: sivel | Owner: sivel
Type: enhancement | Status: assigned
Priority: normal | Milestone: 2.8
Component: Upload | Version: 2.7.1
Severity: normal | Keywords: needs-patch
-------------------------+--------------------------------------------------
Comment(by sivel):
What happens if someone downloads a file that was named on Windows to a
Mac or Nix box and cannot figure out how to delete the file because it had
a strange character. Or cannot download and save the file because the
file has characters that are illegal for other file systems?
Or the filename has a * in it and when the users deletes it from the file
system they take out more files than they intended?
Another case is if the file has all common delimiters for preg_* functions
and it becomes increasingly difficult for a plugin to do something.
Another case is we allow backticks and we find out there is a
vulnerability that allows users to execute code.
Just a few things that I thought about when weighing the needs to sanitize
in the first place.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/9416#comment:12>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list