Rock
Rock copied to clipboard
Published
20 hours ago •
SparkDevNetwork
SparkDevNetwork
Image Browser allows uploads with invalid filenames
Prerequisites
- [x] Put an X between the brackets on this line if you have done all of the following:
- Can you reproduce the problem on a fresh install or the [http://rock.rocksolidchurchdemo.com/ demo site ]()?
- Did you include your Rock version number and [https://github.com/SparkDevNetwork/Rock/wiki/Environment-and-Diagnostics-Information client culture ]() setting?
- Did you [https://github.com/issues?q=is%3Aissue+user%3ASparkDevNetwork+-repo%3ASparkDevNetwork%2FSlack perform a cursory search ]() to see if your bug or enhancement is already reported?
Description
I'm not sure if the issue is that the filename is allowed during upload - or if it's that the filename should be escaped when trying to insert. Either way, if you upload an image file named #1.png, it will allow the upload, it will show in preview, but when you try to insert it fails with a permission denied error because it's trying to load #1.png which is not a valid filename for web use.
If I manually change the filename to %231.png then it loads as expected.
Steps to Reproduce
- Generate a PNG with the filename
#1.png - Add an HTML block to a page.
- Edit content and switch to WYSIWIG mode.
- Click Image Browser button
- Upload
#1.png - Select
#1.pngfor insert and notice "nothing happens". - Click Image Browser button again.
- Open your Network Resources inspector tab.
- Select
#1.pngagain and notice you get a 403 error trying to request that file.
Expected behavior:
I should either get an error about uploading that filename, or it should properly escape the filename.
Actual behavior:
Sad kitty face since I get a very confused user calling me asking why they can't insert that picture.
Versions
- Rock Version: 7.3
- Client Culture Setting: en-US
