URL upload corrupting filename in some files URL upload corrupting filename in some files
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

URL upload corrupting filename in some files

Started by bitcloud, March 29, 2007, 10:29:28 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

bitcloud

Hi,

I've been searching the forum to no avail, so I'll explain this problem here, and if anyone has any clues, it would be really appreciated.

The problem occurs when you upload via URL images which contain non alphanumeric characters (such as "]", which in the address bar should be displayed as "%5D")

Standard file upload works fine and leaves the file named "filename].jpg" (also seen as "filename%5D.jpg") but the URL upload takes the existing "filename%5D.jpg" filename from the location bar and performs some kind of function on the filename so you end up with "filename%255D.jpg" (which doesn't translate to any nonalpha character)

I imagine that theres a function performed on upload that replaces nonalphanumeric characters with their webfriendly counterparts ("]" to "%5D" for example).
I also imagine that when the filename is coming from a URL it doesn't recognise any nonalpha characters (because it's already a web friendly name), but somewhere it seems to be doing a "replace % with %25" which is messing up the filename display (displaying strings of ugly numbers and %'s in the info section and causing other problems with mods and bridging as the different bits try and find the file at what should be it's correct location)

Is anyone able to replicate this possible bug by trying to URL upload a filename containing non alphanumerica characters?
Any help would really be appreciated

Cheers
Lachlan

bitcloud

I guess I've figured out the cause of this bug.

Theres a function somewhere that replaces illegal characters with legal characters. When the filename comes from a URL it already appears to contain only legal characters except for percentage signs (%) (it reads caf%E9 as the filename instead of the original café)

it then runs the filename through the alphanumeric filter/replacer function and replaces the % in the filename with the "safe" version (which in the case of % that version happens to be %25) so you end up with caf%25E9. It's replaced the % with %25

does anyone know where this function is, or does anyone know of/care to work out a fix for this bug?
cheers