[wp-trac] [WordPress Trac] #42437: Thumbnails can overwrite other uploads if filename matches

WordPress Trac noreply at wordpress.org
Sun Dec 1 23:49:03 UTC 2019 

#42437: Thumbnails can overwrite other uploads if filename matches
--------------------------+-----------------------
 Reporter:  Viper007Bond  |       Owner:  pbiron
     Type:  defect (bug)  |      Status:  assigned
 Priority:  normal        |   Milestone:  5.3.1
Component:  Upload        |     Version:  4.8.3
 Severity:  normal        |  Resolution:
 Keywords:  needs-patch   |     Focuses:
--------------------------+-----------------------

Comment (by azaozz):

 Replying to [comment:30 pbiron]:
 > @azaozz I'm working on a revised patch for this.
 >
 > Where do you think is the best place to do this "extra" collision
 detection?

 Been thinking about this for a while. Not sure it can use `glob()` as the
 PHP manual warns that:

  Note: This function will not work on remote files as the file to be
 examined must be accessible via the server's filesystem.

 Can try to generate a list of "reserved parts" of image file names. For
 that it will need access to the actual file, then it can use
 `getimagesize( $file )` to get the image dimensions,
 `wp_get_registered_image_subsizes()`, and `image_resize_dimensions()` to
 get the exact `123x456` part. Then we can still use `file_exists()` or
 `is_file()` that support remote files.

 Looks like that will work, but may be a bit fragile? May also result in
 some false positives.

 I like the idea @joemcgill described in [#comment:21 comment 21]. But
 appending a hash only to sub-sizes will prevent the possibility to "get"
 the attachment ID from an image URL, see #48453. Perhaps a short hash (6-8
 letters/numbers) could be added to the original file name instead of the
 `-1`, `-2`, etc?

 For where/how to do this, there seem to be couple of possibilities:

 1. Use the existing mechanism to pass `$unique_filename_callback` to
 `wp_unique_filename()`. This will work for the default uploading
 functions, for example `media_handle_upload()`, but will require some
 changes to them (5-6 places as far as I see). The downside is that it will
 not work for plugins using the same functions.

 2. Include it in `wp_unique_filename()`. This may result in "false
 positives" when generating file names, but generally will have better
 backwards compatibility.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/42437#comment:31>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list