avatar particthistle
21 Apr 2021

Request for comment

Should the media manager sanitize file names to take spaces out of the filenames to prevent potential issues displaying files uploaded to a Joomla site?

Is sanitizing filenames considered better practice? Better Security?

In addition to swapping spaces with underscores, there should be a range of other factors checked, including but not limited to:

Steps to reproduce the issue

Upload a file in the media manager that has a space.

Expected result

If the filename gets sanitized, then spaces would be replaced with an underscore.

Actual result

The file uploads, but still has the space in the file name.


Additional Comments

Discussion here should also follow through to impact the solution implemented for #33213
#33179 is related in that sanitizing extensions to lowercase might be able to be done here also.

avatar particthistle particthistle - open - 21 Apr 2021
avatar joomla-cms-bot joomla-cms-bot - change - 21 Apr 2021
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 21 Apr 2021
avatar ReLater
ReLater - comment - 21 Apr 2021

filenames starting with . can't be uploaded (hidden files)

I don't see any valid reason to forbid these files.

In addition to swapping spaces with underscores


avatar particthistle
particthistle - comment - 21 Apr 2021

@ReLater your feedback is why I've made this an RFC.

Uploading . files via the media manager doesn't make sense if they're going to proceed to vanish in the media manager.

avatar particthistle particthistle - change - 21 Apr 2021
The description was changed
avatar particthistle particthistle - edited - 21 Apr 2021
avatar richard67
richard67 - comment - 21 Apr 2021

@particthistle Please test again with the latest 4.0 nightly build from tonight. Yesterday a change on the FilePath validation rule has been merged up from staging/3.10-dev into 4.0-dev with this commit: 8aefc2e . The change comes from this PR: #32718 .

This might change stuff related to this and your other issue about filenames. That doesn't mean it will fix the issues, but it might change details for the description of symptoms.

avatar brianteeman
brianteeman - comment - 21 Apr 2021
  • ? " / \ [ ] : ; | < > , - all are characters that shouldn't be in filenames on various file systems.

If you can't create them on your local filesystem then their is nothing we need to do. There is no point in creating a rule to prevent you uploading something that cannot exist.

Or am I missing something?

Is sanitizing filenames considered better practice? Better Security?

There really is no need that I can see in 2021 to replace a space in the name of an image. An issue would only ever occur if the file was referenced unquoted. But as it is always quoted in Joomla then there is no problem. The only possible problem would be if you wanted to open an image with a filename directly in the browser address bar but that would be something unrelated to Joomla.

avatar particthistle particthistle - change - 22 Apr 2021
Status New Closed
Closed_Date 0000-00-00 00:00:00 2021-04-22 00:28:57
Closed_By particthistle
avatar particthistle particthistle - close - 22 Apr 2021
avatar particthistle
particthistle - comment - 22 Apr 2021

Closing this one based on comments and further testing.

  • Media manager already prevents uploading . files, however the error returned is basic and doesn't tell the user why:
    As there's a low probability of people trying to upload a . file via the media manager, this may be sufficient, otherwise a different issue needs to be raised to improve the messaging.
  • As @brianteeman pointed out, filename references are always quoted in joomla, so spaces in filenames are not an issue.
  • Will now modify #33213 to focus on changing the functionality of the upload vs sanitizing filenames.

Add a Comment

Login with GitHub to post a comment