HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

File upload fails silently if '&' in the filename

lexx_kotolexx_koto New
edited August 2013 in Feedback

If the user wants to upload a file, and the file has an ampersand '&' in the filename, the upload will fail silently.

Tested on a CentOS 6 server running Apache/PHP/MySQL, on Safari, Firefox and Chrome.

Comments

  • 50sQuiff50sQuiff ✭✭
    edited August 2013

    Good spot!

    I've found the problem. It's this line in fileupload.js:

    if (StoredFilename != Filename) return;

    The problem is one of these vars contains escaped ampersands and the other doesn't. Replace the line with:

    if (StoredFilename.replace(/&/g,"&") != Filename) return;

Sign In or Register to comment.