Filename sanitization

Question

odilitime opened this issue 8 years ago · comments

I just saw a original filename with single quotes around it
so the extension ended with a single quote

originalfilename: 'filename.ext'
filename: asdfe.ext'

not sure this is desired, just bringing it to your attention.

Lilac Kapul · Answer 1 · Mon Jul 04 2016 14:47:43 GMT+0800 (China Standard Time)

as clsr mentioned, this is acceptable for filenames

there is nothing wrong with this. the only concern is for SQL injection, which is solved with escaped user input like everything should be

Odilitime · Answer 2 · Mon Jul 04 2016 14:49:05 GMT+0800 (China Standard Time)

Well it's making our extensions statistics incorrect, so we'll just fix it in our copy

Lilac Kapul · Answer 3 · Mon Jul 04 2016 14:49:27 GMT+0800 (China Standard Time)

that is a problem with extension statistics code though

Lilac Kapul · Answer 4 · Mon Jul 04 2016 15:35:23 GMT+0800 (China Standard Time)

SQL injection is not an issue due to the way handled in the code.
URLs are now properly handled.

All should be good now. @ewhal

jithatsonei · Answer 5 · Tue Jul 05 2016 09:18:44 GMT+0800 (China Standard Time)

side note: this is a pomf-php issue