latest stable versions: v140423 (changelog)

Old Forums (READ-ONLY): The community now lives at WordPress.org. If you have an s2Member® Pro question, please use our new Support System.

Problem with quotes in filename downloads

Home Forums Community Forum Problem with quotes in filename downloads

This topic contains 8 replies, has 3 voices.
Last updated by  potsky 1 year, 3 months ago.

Topic Author Topic
Posted: Wednesday Jan 16th, 2013 at 7:47 am #37713
potsky
Username: potsky

Hello!

When downloading a file with double quotes, the file is correctly downloaded by the filename hangs at the first double quote. I escape the url of course, japanese, german and french chars are well supported but not double quotes.

Here is an example of the html fragment :

<a href="#" class="link" rel="http://example.com/?s2member_file_download=/This+is+%22my%22+file.txt">This is "my" file.txt</a>

On the server, the file is named :

s2member-files/This is "my" file.txt

And the downloaded file is :

This is .txt

If you replace the file extension with .php instead of .txt for example, the downloaded file will not have its extension and will result as :

This is 

Given that it is for the plugin s2member Secure File Browser, I don’t really want to have a hot fix but just a fix in a future version. Or perhaps I can bypass this problem with a trick in my plugin.

Thank you !

List Of Topic Replies

Viewing 8 replies - 1 through 8 (of 8 total)
Author Replies
Author Replies
Posted: Thursday Jan 17th, 2013 at 3:06 am #37860
Bruce
Username: Bruce
Staff Member

Thanks for reporting this important issue.

I’m sending this issue to Jason to get his input.

Posted: Thursday Jan 17th, 2013 at 3:30 am #37864
potsky
Username: potsky

Thank you!

Posted: Thursday Jan 17th, 2013 at 10:17 am #37878
Staff Member

Thanks for the heads up on this thread :-)

I just took a quick look at this, and it’s not actually s2Member losing any data and/or formatting here. What’s happening is that s2Member’s call to PHP’s file_exists() function is failing on some operating systems. Either due to safe mode restrictions, or because of a lack of support for that character in a file name.

Comparison of filename limitations (from the Wikipedia)
http://en.wikipedia.org/wiki/File_name#Comparison_of_filename_limitations

My suggestion would be to avoid using double-quotes in file names. Even if you’re on a server that would support this, it is highly likely that issues would occur during the download and Save action within a browser. For instance, Windows does not support the double-quote character in a file name at all.

Please let us know if problems persist :-)

Related articles:
http://en.wikipedia.org/wiki/File_name
http://stackoverflow.com/questions/948072/why-doesnt-file-exists-work

Posted: Thursday Jan 17th, 2013 at 10:27 am #37881
potsky
Username: potsky

Thank you for your answer !

I do not use double quotes in filename, but my clients… certainly ! I really agree with you on this point.

In fact the file is well downloaded, so I presume the file_exists do not crash.
The downloaded file name is just cut at the first double quote.

Moreover, it seems there is a filename computing given that .txt still persist at the end of the filename.

It is not really important…

Posted: Thursday Jan 17th, 2013 at 5:35 pm #37953
potsky
Username: potsky

Ok, I found the solution. Again a new RFC :-)
http://tools.ietf.org/html/rfc6266#appendix-D

In includes/classes/files-in.inc.php line 361 (for version 121213), replace :

header('Content-Disposition: '.(($inline) ? "inline" : "attachment").'; filename="'.$basename.'"');

with

header('Content-Disposition: '.(($inline) ? "inline" : "attachment").'; filename*=UTF-8\'\''.rawurlencode($basename) );

but not for all user agents (http://greenbytes.de/tech/tc2231/)

It seems there is a trick with a fake file name at the end of the php and with a rewrite rule :
http://stackoverflow.com/questions/93551/how-to-encode-the-filename-parameter-of-content-disposition-header-in-http

Posted: Thursday Jan 17th, 2013 at 11:12 pm #38006
Staff Member

Interesting! Thank you. I’m going to review this shortly!

Posted: Sunday Jan 20th, 2013 at 2:36 am #38395
Staff Member

Thanks for the great tips!

RFC 6266 says…
http://tools.ietf.org/html/rfc6266#appendix-D

o When a “filename” parameter is included as a fallback (as per
above), “filename” should occur first, due to parsing problems in
some existing implementations.

Use UTF-8 as the encoding of the “filename*” parameter, when
present, because at least one existing implementation only
implements that encoding.

This site you pointed me to indicates that including both values might work best here.
See: http://greenbytes.de/tech/tc2231/#attfnboth

I’m currently testing the following change at line #274 in s2Member v130116. If testing goes well, I’ll see about having this change made for the next maintenance release.

$disposition = (($inline) ? "inline" : "attachment")."; filename=\"".c_ws_plugin__s2member_utils_strings::esc_dq($basename)."\"; filename*=UTF-8''".rawurlencode($basename);
If you get a chance to test this, I would greatly appreciate it :-) Please note that s2Member v130116 added support for byte-range requests. Thus, the current stable release of s2Member (v130116) includes significant changes inside files-in.inc.php from the previous version.
Posted: Sunday Jan 20th, 2013 at 5:00 am #38399
potsky
Username: potsky

Thank you, I changed this line in all installation (with the last version of course).
I will tell you if I notice a problem but for the moment, it works perfectly on :
- safari 6 on mac
- firefox (latest) on mac
- chrome on mac which change quotes by dashes

Viewing 8 replies - 1 through 8 (of 8 total)

This topic is closed to new replies. Topics with no replies for 2 weeks are closed automatically.

Old Forums (READ-ONLY): The community now lives at WordPress.org. If you have an s2Member® Pro question, please use our new Support System.

Contacting s2Member: Please use our Support Center for bug reports, pre-sale questions & technical assistance.