-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Properly handle query strings on image import to prevent security error #35
Properly handle query strings on image import to prevent security error #35
Conversation
Thanks for the pull request @ethanclevenger91.
I don't think this is quite the right approach. These two images are technically different images:
The correct approach would be to use the full URL with query strings. Is this possible? |
@danielbachhuber So the file that is ultimately copied is pulled with the query string intact, but yeah, if you ran both of those, they would have the same name in the WP media library (well, with You could move the query string to before the file extension? Even if you could work around the validation, I worry having a query string at the end of the filename WordPress is importing may cause problems elsewhere (though nothing jumps to mind). |
Oh. The query string remains intact, and the image is imported at two different resolutions? |
Exactly. So if I hit Placeholder.com for two images and pull, for example:
My media library gets two different images, one that says "Foo" and one that says "Bar". Their names reflected in the library, however, are:
|
@ethanclevenger91 Makes sense. This pull request is fine then. Can you add some tests, please? We can use the placeholder service you mentioned for sample data. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs tests reflecting the changes.
I'll get on this. Thanks!
…On Mon, Aug 14, 2017, 10:26 AM Daniel Bachhuber ***@***.***> wrote:
***@***.**** requested changes on this pull request.
Needs tests reflecting the changes.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#35 (review)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ACgInlKyl6Wenqtr1TWwqAJTxDaRwFDFks5sYINXgaJpZM4Oz4Jf>
.
|
Wait, where are existing tests? |
@ethanclevenger91 The existing media import tests are here: https://github.com/wp-cli/media-command/blob/master/features/media-import.feature |
Thanks for your work on this @ethanclevenger91 ! |
Handle query strings on URL import.
If you're trying to import an image with a query string (such as from Placeholder.com using custom copy), WordPress says
Sorry, this file type is not permitted for security reasons.
because the query string makes it all the way to file name, so the file fails validation.This PR strips the query string when passing it along, and only does the operation if the file is remote.