[wp-trac] Re: [WordPress Trac] #9416: Better file name sanitization
for wp_unique_filename
WordPress Trac
wp-trac at lists.automattic.com
Tue Apr 21 00:11:16 GMT 2009
#9416: Better file name sanitization for wp_unique_filename
-------------------------+--------------------------------------------------
Reporter: sivel | Owner: sivel
Type: enhancement | Status: assigned
Priority: normal | Milestone: 2.8
Component: Upload | Version: 2.7.1
Severity: normal | Keywords: needs-patch
-------------------------+--------------------------------------------------
Comment(by Denis-de-Bernardy):
Replying to [comment:12 sivel]:
> What happens if someone downloads a file that was named on Windows to a
Mac or Nix box and cannot figure out how to delete the file because it had
a strange character. Or cannot download and save the file because the
file has characters that are illegal for other file systems?
that is why I remove the slashes
> Or the filename has a * in it and when the users deletes it from the
file system they take out more files than they intended?
these are escaped by file handling functions
> Another case is if the file has all common delimiters for preg_*
functions and it becomes increasingly difficult for a plugin to do
something.
that's what preg_quote() is for
> Another case is we allow backticks and we find out there is a
vulnerability that allows users to execute code.
it gets escaped by file handling functions too
> Just a few things that I thought about when weighing the needs to
sanitize in the first place.
you're right on paper, but we're being a bit too overzealous here.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/9416#comment:13>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list