SID-01362: problems with '+' characters in filenames

Status:	Answered	TWiki version:	4.0.4	Perl version:	5.8.8
Category:	BatchUploadPlugin	Server OS:	CentOS 5.6 kernel 2.6.18-238.9.1.el5xen	Last update:	14 years ago

Files in zip archives with '+' characters in the filenames have all characters before the '+' character including the '+' character removed as the uploaded file name. So for example these filenames in a zip archive :

P256-310pH8+H_res-DA1.png

LP256-310pH8+H_res-DA2.png

become :

H_res-DA1.png

H_res-DA2.png

On the webserver running Twiki I'm using Archive::Zip 1.16-1.2.1 (CentOS5 packages), and I know it's <1.18 the version recommended on the install page, but I've tried some test code :

#!/usr/bin/perl

use Archive::Zip;

my $zipF = Archive::Zip->new();
unless ($zipF->read($ARGV[0]) == AZ_OK ) {
die "$ARGV[0] not a zip file or I/O error\n";
}

foreach $zipMember ($zipF->memberNames()) {
print "Extracting $zipMember...\n";
$zipF->extractMember($zipMember);
}

...and this is able to properly decompress a filename with a '+' character in it without messing up the original file name. I wonder if it has to do with this code in lib/TWiki/Plugins/BatchUploadPlugin.pm

295 # Remove problematic chars

296 $fileName =~ s/$TWiki::cfg{NameFilter}//goi;

-- SabujPattanayek - 2011-12-27

Discussion and Answer

TWiki.cfg:$cfg{NameFilter} = qr/[\s\*?~^\$@%`"'&;|<>\x00-\x1f]/;

That doesn't look like it could be the issue. It seems like since the file is being moved out of the tmp directory, it's happening in one of these :

282 $fileName =~ /\/?(.*\/)?(.+)/;

283 $fileName = $2;

284

285 # Make filename safe:

286 my $origFileName = $fileName;

287

288 # Protect against evil filenames - especially for out temp file.

289 $fileName =~ /\.*([ \w_.\-]+)$/go;

290 $fileName = $1;

-- SabujPattanayek - 2011-12-27

Ok, it's this :

288 # Protect against evil filenames - especially for out temp file.

289 $fileName =~ /\.*([ \w_.\-]+)$/go;

But, i'm not parsing how the everything before the '+' char and the '+' char itself is being removed by this regex.

-- SabujPattanayek - 2011-12-27

Alright, got it, this basically says, the filename can't begin with multiple dots, and must then be comprised of space, numerical and alphabetical characters, underscores, backslashes, or dashes. I guess you must have gotten that from (or something similar) :

http://www.sitepoint.com/uploading-files-cgi-perl-2/

my $safe_filename_characters = "a-zA-Z0-9_.-";

adding a '+' inside of the character class seems to fix the issue :

$ perl -e '$n = "foo+bar.txt"; =~ /\.*([+ \w_.\-]+)$/go; = $1; print " \n";'

foo+bar.txt

but I don't see why allowing '+' chars in filenames is unsafe, how could this be used maliciously in a file open or creat call?

-- SabujPattanayek - 2011-12-28

Adding a + character should be OK. Although it might cause issues in border cases. For example, for TWiki topic names that are not TWikiWords we recommend to use only A-Z, a-z, _ and -.

-- PeterThoeny - 2011-12-29

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.