Joomla! Issue Tracker | Joomla! CMS #33214 - [4.0 / 4.1] File Upload in Media Manager doesn't sanitize filenames (RFC)

Closed
22 Apr 2021
Medium
Build: staging
# 33214

particthistle
21 Apr 2021

Request for comment

Should the media manager sanitize file names to take spaces out of the filenames to prevent potential issues displaying files uploaded to a Joomla site?

Is sanitizing filenames considered better practice? Better Security?

In addition to swapping spaces with underscores, there should be a range of other factors checked, including but not limited to:

filenames starting with . can't be uploaded (hidden files)
* ? " / \ [ ] : ; | < > , - all are characters that shouldn't be in filenames on various file systems.

Steps to reproduce the issue

Upload a file in the media manager that has a space.

Expected result

If the filename gets sanitized, then spaces would be replaced with an underscore.

Actual result

The file uploads, but still has the space in the file name.

Additional Comments

Discussion here should also follow through to impact the solution implemented for #33213
#33179 is related in that sanitizing extensions to lowercase might be able to be done here also.

particthistle - open - 21 Apr 2021

joomla-cms-bot - change - 21 Apr 2021

Labels

Added: ?

joomla-cms-bot - labeled - 21 Apr 2021

ReLater - comment - 21 Apr 2021

filenames starting with . can't be uploaded (hidden files)

I don't see any valid reason to forbid these files.

In addition to swapping spaces with underscores

ditto

particthistle - comment - 21 Apr 2021

@ReLater your feedback is why I've made this an RFC.

Uploading . files via the media manager doesn't make sense if they're going to proceed to vanish in the media manager.

particthistle - change - 21 Apr 2021

The description was changed

particthistle - edited - 21 Apr 2021

richard67 - comment - 21 Apr 2021

@particthistle Please test again with the latest 4.0 nightly build from tonight. Yesterday a change on the FilePath validation rule has been merged up from staging/3.10-dev into 4.0-dev with this commit: 8aefc2e . The change comes from this PR: #32718 .

This might change stuff related to this and your other issue about filenames. That doesn't mean it will fix the issues, but it might change details for the description of symptoms.

brianteeman - comment - 21 Apr 2021

? " / \ [ ] : ; | < > , - all are characters that shouldn't be in filenames on various file systems.

If you can't create them on your local filesystem then their is nothing we need to do. There is no point in creating a rule to prevent you uploading something that cannot exist.

Or am I missing something?

Is sanitizing filenames considered better practice? Better Security?

There really is no need that I can see in 2021 to replace a space in the name of an image. An issue would only ever occur if the file was referenced unquoted. But as it is always quoted in Joomla then there is no problem. The only possible problem would be if you wanted to open an image with a filename directly in the browser address bar but that would be something unrelated to Joomla.

particthistle - change - 22 Apr 2021

Status	New	⇒	Closed
Closed_Date	0000-00-00 00:00:00	⇒	2021-04-22 00:28:57
Closed_By		⇒	particthistle

particthistle - close - 22 Apr 2021

particthistle - comment - 22 Apr 2021

Closing this one based on comments and further testing.

Media manager already prevents uploading . files, however the error returned is basic and doesn't tell the user why:

As there's a low probability of people trying to upload a . file via the media manager, this may be sufficient, otherwise a different issue needs to be raised to improve the messaging.
As @brianteeman pointed out, filename references are always quoted in joomla, so spaces in filenames are not an issue.
Will now modify #33213 to focus on changing the functionality of the upload vs sanitizing filenames.

Add a Comment

Older
Newer

Joomla! Issue Tracker - CMS