Tags:
create new tag
view all tags

SID-01362: problems with '+' characters in filenames

Status: Answered Answered TWiki version: 4.0.4 Perl version: 5.8.8
Category: BatchUploadPlugin Server OS: CentOS 5.6 kernel 2.6.18-238.9.1.el5xen Last update: 14 years ago

Files in zip archives with '+' characters in the filenames have all characters before the '+' character including the '+' character removed as the uploaded file name. So for example these filenames in a zip archive :

P256-310pH8+H_res-DA1.png

LP256-310pH8+H_res-DA2.png

become :

H_res-DA1.png

H_res-DA2.png

On the webserver running Twiki I'm using Archive::Zip 1.16-1.2.1 (CentOS5 packages), and I know it's <1.18 the version recommended on the install page, but I've tried some test code :


#!/usr/bin/perl

use Archive::Zip;

my $zipF = Archive::Zip->new();
unless ($zipF->read($ARGV[0]) == AZ_OK ) {
die "$ARGV[0] not a zip file or I/O error\n";
}

foreach $zipMember ($zipF->memberNames()) {
print "Extracting $zipMember...\n";
$zipF->extractMember($zipMember);
}

...and this is able to properly decompress a filename with a '+' character in it without messing up the original file name. I wonder if it has to do with this code in lib/TWiki/Plugins/BatchUploadPlugin.pm

295 # Remove problematic chars

296 $fileName =~ s/$TWiki::cfg{NameFilter}//goi;

-- SabujPattanayek - 2011-12-27

Discussion and Answer

TWiki.cfg:$cfg{NameFilter} = qr/[\s\*?~^\$@%`"'&;|<>\x00-\x1f]/;

That doesn't look like it could be the issue. It seems like since the file is being moved out of the tmp directory, it's happening in one of these :


282 $fileName =~ /\/?(.*\/)?(.+)/;

283 $fileName = $2;

284

285 # Make filename safe:

286 my $origFileName = $fileName;

287

288 # Protect against evil filenames - especially for out temp file.

289 $fileName =~ /\.*([ \w_.\-]+)$/go;

290 $fileName = $1;

-- SabujPattanayek - 2011-12-27

Ok, it's this :


288 # Protect against evil filenames - especially for out temp file.

289 $fileName =~ /\.*([ \w_.\-]+)$/go;

But, i'm not parsing how the everything before the '+' char and the '+' char itself is being removed by this regex.

-- SabujPattanayek - 2011-12-27

Alright, got it, this basically says, the filename can't begin with multiple dots, and must then be comprised of space, numerical and alphabetical characters, underscores, backslashes, or dashes. I guess you must have gotten that from (or something similar) :

http://www.sitepoint.com/uploading-files-cgi-perl-2/

my $safe_filename_characters = "a-zA-Z0-9_.-";

adding a '+' inside of the character class seems to fix the issue :


$ perl -e '$n = "foo+bar.txt"; =~ /\.*([+ \w_.\-]+)$/go; = $1; print " \n";'

foo+bar.txt

but I don't see why allowing '+' chars in filenames is unsafe, how could this be used maliciously in a file open or creat call?

-- SabujPattanayek - 2011-12-28

Adding a + character should be OK. Although it might cause issues in border cases. For example, for TWiki topic names that are not TWikiWords we recommend to use only A-Z, a-z, _ and -.

-- PeterThoeny - 2011-12-29

      Change status to:
ALERT! If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.
SupportForm
Status Answered
Title problems with '+' characters in filenames
SupportCategory BatchUploadPlugin
TWiki version 4.0.4
Server OS CentOS 5.6 kernel 2.6.18-238.9.1.el5xen
Web server Apache 2.2.3
Perl version 5.8.8
Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r3 - 2011-12-29 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.