[BUG] Unable to delete timelapse from UI when filename contains parenthesis

[jneilliii]

1. What were you doing?
   Trying to delete timelapse mpg within web UI.
2. What did you expect to happen?
   For the file to delete and remove from list in UI.
3. What happened instead?
   File remained on filesystem and in web UI.
4. Branch & Commit or Version:
   Version: 1.2.0-dev-404-gb0805a9 (devel branch)
5. Printer model & used firmware incl. version
   N/A
6. Link to octoprint.log on gist.github.com or pastebin.com:
   No log entries added to octoprint.log
7. Link to contents of terminal tab on gist.github.com or pastebin.com:
   N/A

After investigating the issue it appears to be related to parenthesis in the filename. If there aren't any parenthesis in the filename the operation works as expected. Running dev branch on raspbian OS wheezy version 7.

I love cookies

[jneilliii]

Just verified that after renaming the file to exclude parenthesis via the console the file deleted as expected.

[jneilliii]

Issue does not exist on the filemanager on the main front page where the stl and gcode files live.

[derpicknicker1]

I can confirm this bug. I tested it with my Version: 1.2.0-dev-405-gf52afb8-dirty (devel branch).
It seems like werkzeug.utils.secure_filename causes this.
You find it in server/api/timelapse.py on line 53:

secure = os.path.join(settings().getBaseFolder("timelapse"), secure_filename(filename))

Updating the line to

secure = os.path.join(settings().getBaseFolder("timelapse"), filename)

will make it work. But i'm not sure if it's the best idea to leave out the secure_filename(). Otherwise, the filenames for timelapses are taken from the *.gcode files. So i think they will allready be safe?!

[foosel]

They will, but input validation is still necessary here. I'll fix it to properly check that no directory traversal happens here, but that should be enough.

[foosel]

Fixed in devel