- 🇺🇸United States Amber Himes Matz Portland, OR USA
We triaged this in Bug Smash.
Is this still an issue? It would be great to add a failing test to prove the issue.
Also adding tags for re-roll and tests.
- Status changed to Needs review
about 1 year ago 11:13am 29 August 2023 - last update
about 1 year ago Custom Commands Failed - 🇮🇳India vsujeetkumar Delhi
Re-roll patch created against 9.5.x, Also added Test case that is missing in #5, It is based on #1. Please have a look.
19:18 18:23 RunningThe last submitted patch, 19: 1496532_19.patch, failed testing. View results →
- Status changed to Needs work
about 1 year ago 7:25am 3 September 2023 - 🇺🇸United States cmlara
Considering how long this issue has existed I would assert that this would be excessively disruptive to implement now. And if it were to be implemented it also needs to be done in a manner that also rewrites EVERY reference to a file in Drupal to be urlencoded and requires a new base class for streamWrappers.
test#file.txt is NOT the same as test%23file.txt on disk (at least for *nix) having the streamWrapper attempt to coerce a decode now would be inappropriate and could lead to data loss and data leakage.
Sample on Linux with an ext4 filesystem:
$ mkdir test_files $ cd test_files/ $ touch 'test#file.txt' $ touch 'test%23file.txt' $ ls -alh .. -rw-rw-r-- 1 user group 0 Sep 2 23:45 test%23file.txt -rw-rw-r-- 1 user group 0 Sep 2 23:45 test#file.txtKey note is that %23 passed through rawurldecode() would be converted to # causing an incorrect file access, and blocking access to the intended file.
Adding the security review tag for the fact that this could lead to access bypass issues inside of core/contrib by using urlencoding to make the request appear to be for a different file.
- 🇬🇧United Kingdom catch
I think I might have hit this in 📌 Tidy up URL generation for asset aggregates Needs work .