-
Notifications
You must be signed in to change notification settings - Fork 672
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(files): mitigate issues with special chars in file names #10673
Conversation
(tests were failing because base64 was putting "+" in the URL. Base64URL fixes this.) |
// Using special characters to test against files that have been | ||
// uploaded prior to implementation of filename sanitization | ||
// See #10608 | ||
$file->setFilename("foo'baž.txt"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think filesystem name mapping issues are causing the tests to not find this file, so I'm going to try reading the name from disk.
6dd4aaf
to
e89ec07
Compare
$file->setFilename('foo'); | ||
$dir = dirname($file->getFilenameOnFilestore()); | ||
$files = glob("$dir/bing*"); | ||
$filename = basename($files[0]); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I should just create the file here and clean up after.
e89ec07
to
8a9dd15
Compare
Relative paths to files that contain special characters in the name will now be encoded with base64 to avoid malformatted URLs and HMAC mismatches resulting from unescaped characters. URLs generated prior to this change will continue working. Refs Elgg#10608
8a9dd15
to
4a7b74e
Compare
@@ -106,6 +108,12 @@ public function getURL() { | |||
return false; | |||
} | |||
|
|||
if (preg_match('~[^a-zA-Z0-9_\./ ]~', $relative_path)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed this because \w
may match multibyte chars depending on locale
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am sure we will be dealing with some hickups in the future, so as long as we get most of the craziness covered, I can live with it.
Relative paths to files that contain special characters in the name will now be encoded with base64 to avoid malformatted URLs and HMAC mismatches resulting from unescaped characters. URLs generated prior to this change will continue working.
Refs #10608