[wp-trac] [WordPress Trac] #54078: Underscore appended to media file on upload

WordPress Trac noreply at wordpress.org
Fri Jun 27 11:46:54 UTC 2025 

#54078: Underscore appended to media file on upload
---------------------------+------------------------------
 Reporter:  spielautomat4  |       Owner:  (none)
     Type:  defect (bug)   |      Status:  closed
 Priority:  normal         |   Milestone:  Awaiting Review
Component:  Upload         |     Version:  5.8
 Severity:  normal         |  Resolution:  wontfix
 Keywords:  dev-feedback   |     Focuses:  administration
---------------------------+------------------------------
Changes (by callumbw95):

 * status:  new => closed
 * resolution:   => wontfix


Comment:

 Hi All,
 I have just taken a look into this, and it looks like the code hasn't
 changed around this from 5.8 to 6.8. I believe this is intended behaviour,
 as appending the underscore at the end of the filename stop's potential
 security risks:
 == The Security Risk: Double Extension Attacks 🦹
 The primary threat is a malicious file disguised as a safe one. An
 attacker might upload a file named something like `my-image.php.jpg`.

 **The Intent:** The attacker hopes the system will validate the file based
 on the final `.jpg` extension and classify it as a harmless image.
 **The Danger:** However, some web servers (particularly older or
 misconfigured Apache servers) can be tricked. They might ignore the final
 `.jpg` and interpret the file based on the `.php` extension, allowing it
 to be executed as a server-side script. This would let the attacker run
 malicious code on your server.

 == The Solution: Neutralizing the Threat 🛡️
 By programmatically inserting an underscore before the final extension,
 the system effectively defuses this threat.

 Let's see how our example filename is transformed:

 - Original Malicious Filename: `my-image.php.jpg`
 - Sanitized Filename: `my-image.php_.jpg`
 The sanitization logic identifies the potentially harmful .php part and
 changes it to .php_. This simple change completely breaks the attack
 vector. The server will no longer recognize .php_ as a valid executable
 extension. It will now only see the final, safe .jpg extension and treat
 the file correctly as an image.

 In short, placing an underscore in that specific location surgically
 neutralizes the dangerous part of the filename without changing the final
 file type that the system and user expect. It's a targeted security fix
 for a well-known vulnerability.

 As of such I don't believe we should change this functionality and instead
 this ticket can be closed. However if you do have any comments or would
 like to reopen the conversation please do.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/54078#comment:5>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list