[wp-trac] [WordPress Trac] #42437: Thumbnails can overwrite other uploads if filename matches
WordPress Trac
noreply at wordpress.org
Wed May 16 15:23:04 UTC 2018
#42437: Thumbnails can overwrite other uploads if filename matches
--------------------------+-----------------------------
Reporter: Viper007Bond | Owner: (none)
Type: defect (bug) | Status: new
Priority: normal | Milestone: Future Release
Component: Upload | Version: 4.8.3
Severity: normal | Resolution:
Keywords: needs-patch | Focuses:
--------------------------+-----------------------------
Comment (by joemcgill):
> How would such a hash be any better than the -1, -2, etc that
wp_unique_filename() adds?
For intermediate image file names, I think it makes sense to try to keep
the names for all images in a set consistent. In this case, the issue is
that one of the intermediate size names generated by WP is conflicting
with the name of an original file that was uploaded to the server. We
could append a -1 only to the intermediate size that has the conflict, but
then you end up with a set of images like:
- filename.jpg
- filename-150x150.jpg
- ''filename-300x400-1.jpg''
- filename-600x800.jpg
- etc.
If we wanted consistent names, we would first need to loop through all
names that are going to be created and check if any of those files already
exist on the server before we generate the intermediate image files.
> How about my other idea: if the original file name ends with something
like -600x800.jpg rename it and append -1, -2, etc. the same way we do for
all other naming conflicts in WP.
My main concern with this approach is that there are too many
unpredictable reasons people might have for intentionally naming files
which match this pattern, and renaming files, as opposed to appending a
-1, -2, etc. seems more destructive.
I recommend a hash (or similar) approach for intermediate image file names
because it would fulfill the following requirements:
1. Modify intermediate image file names rather than original file names to
avoid collisions, since those files are generated by WP.
2. Ensure originality without the need to calculate and check for
collisions during the process of generating intermediate images (a process
that is already long-running and resource intensive on shared hosting,
which can cause failures. See #40439).
3. Keep names of all intermediate image sizes in a set consistent so we
can use pattern matching to detect the difference between an image that is
part of an autogenerated set and ones that have been manually cropped in
the WP media editor (important when calculating sources for `srcset`).
4. Use a naming convention that is predictable so the same file names will
be created when someone regenerates image sizes as would be created during
the original upload process.
It's also worth noting that WordPress already uses hashes in filenames if
someone has the `IMAGE_EDIT_OVERWRITE` constant set to `false`. See
[https://github.com/WordPress/WordPress/blob/4.9.5/wp-admin/includes
/image-edit.php#L807-L837 wp_save_image()].
--
Ticket URL: <https://core.trac.wordpress.org/ticket/42437#comment:21>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list