Properly handle query strings on image import to prevent security error

[ethanclevenger91]

If you're trying to import an image with a query string (such as from Placeholder.com using custom copy), WordPress says Sorry, this file type is not permitted for security reasons. because the query string makes it all the way to file name, so the file fails validation.

This PR strips the query string when passing it along, and only does the operation if the file is remote.

[danielbachhuber]

Thanks for the pull request @ethanclevenger91.

This PR strips the query string when passing it along, and only does the operation if the file is remote.

I don't think this is quite the right approach. These two images are technically different images:

• https://boygeniusreport.files.wordpress.com/2017/08/iphone-8-prototype-dummy-mkbhd-hands-on-video.jpg?quality=98&strip=all&w=552&h=550&crop=1
• https://boygeniusreport.files.wordpress.com/2017/08/iphone-8-prototype-dummy-mkbhd-hands-on-video.jpg?quality=98&strip=all&w=1000&h=550&crop=1

The correct approach would be to use the full URL with query strings. Is this possible?

[ethanclevenger91]

@danielbachhuber So the file that is ultimately copied is pulled with the query string intact, but yeah, if you ran both of those, they would have the same name in the WP media library (well, with -1 attached).

You could move the query string to before the file extension? Even if you could work around the validation, I worry having a query string at the end of the filename WordPress is importing may cause problems elsewhere (though nothing jumps to mind).

[danielbachhuber]

So the file that is ultimately copied is pulled with the query string intact, but yeah, if you ran both of those, they would have the same name in the WP media library (well, with -1 attached).

Oh. The query string remains intact, and the image is imported at two different resolutions?

[ethanclevenger91]

Exactly. So if I hit Placeholder.com for two images and pull, for example:

http://via.placeholder.com/350x150.jpg?text=Foo
http://via.placeholder.com/350x150.jpg?text=Bar

My media library gets two different images, one that says "Foo" and one that says "Bar". Their names reflected in the library, however, are:

350x150.jpg
350x150-1.jpg

[danielbachhuber]

@ethanclevenger91 Makes sense. This pull request is fine then.

Can you add some tests, please? We can use the placeholder service you mentioned for sample data.

[danielbachhuber]

Needs tests reflecting the changes.

[ethanclevenger91]

I'll get on this. Thanks!

…

On Mon, Aug 14, 2017, 10:26 AM Daniel Bachhuber ***@***.***> wrote: ***@***.**** requested changes on this pull request. Needs tests reflecting the changes. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#35 (review)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACgInlKyl6Wenqtr1TWwqAJTxDaRwFDFks5sYINXgaJpZM4Oz4Jf> .

[ethanclevenger91]

Wait, where are existing tests?

[schlessera]

@ethanclevenger91 The existing media import tests are here: https://github.com/wp-cli/media-command/blob/master/features/media-import.feature

[danielbachhuber]

Thanks for your work on this @ethanclevenger91 !