I'm trying to get http://farm3.static.flickr.com/2719/5811419439_c85ed93ebd_d.jpg

Error : Only files with the following extensions are allowed: png gif jpg jpeg.

Field settings
- Allowed file extensions: png, gif, jpg, jpeg
- Unlimited size

Apache limit : 2MB

curl --head http://farm3.static.flickr.com/2719/5811419439_c85ed93ebd_d.jpg
HTTP/1.1 200 OK
Date: Wed, 08 Jun 2011 14:02:48 GMT
Content-Type: image/jpeg
Connection: keep-alive
Server: Apache/2.0.52 (Red Hat)
Content-Disposition: attachment; filename=5811419439_c85ed93ebd.jpg
Pragma: no-cache
Expires: 0
Last-Modified: Wed, 08 Jun 2011 13:57:14 GMT
Accept-Ranges: bytes
Content-Length: 159642
X-Cache: MISS from photocache311.flickr.ac4.yahoo.com
X-Cache-Lookup: MISS from photocache311.flickr.ac4.yahoo.com:81
Via: 1.1 photocache311.flickr.ac4.yahoo.com:81 (squid/2.7.STABLE9)

What's wrong?

Comments

clemens.tolboom’s picture

I found the cause ... the filename contains a newline. I added code to

function filefield_source_remote_value($element, &$item) {

    $regex = '/\.('. preg_replace('/[ +]/', '|', preg_quote($extensions)) .')$/i';
dsm($regex, "'".$filename. "'");
    if (!empty($extensions) && !preg_match($regex, $filename)) {

to see the newline into the filename.

I suspect function _filefield_source_remote_filename() getting the newlined value from function filefield_source_remote_parse_header(&$ch, $header) { not checking for eol?

This image works http://www.budgetgaming.nl/plaatjes/reviews/flower/Flower_plaatje3.jpg

clemens.tolboom’s picture

Title: Only files with the following extensions are allowed ... when trying do get a flickr image. » flickr: Only files with the following extensions are allowed ... when trying do get a flickr image.
quicksketch’s picture

I'm not quite following this issue. There's actually a new-line *in the filename*? How is that even possible? What OS allows a new-line in a file name?

clemens.tolboom’s picture

Status: Active » Needs review
StatusFileSize
new540 bytes

Doing a curl --head http://4.bp.blogspot.com/-KWHpPk4f-kM/TdZY_dxWMRI/AAAAAAAAADc/6FHVzBLY-4o/s1600/flower-1.jpg results in

Content-Disposition: inline;filename="flower-1.jpg"

being the quoted variant. The flickr flow is through the unquoted preg_match

  elseif (preg_match('/Content-Disposition:.*?filename=([^; ]+)/', $header, $matches)) {
    // Content-Disposition: attachment; filename=file.ext
    _filefield_source_remote_filename($matches[1]);
  }

Refering http://www.w3.org/Protocols/rfc2616/rfc2616-sec19.html and http://www.ietf.org/rfc/rfc1806.txt suggest both regex could use some fine-tuning
- tokens are not case sensitive: inline, attachments (which is resolved by matching .*?)
- there could be more disposition params (not covered) which could follow a filename param

       disposition := "Content-Disposition" ":"
                       disposition-type
                       *(";" disposition-parm)

        disposition-type := "inline"
                          / "attachment"
                          / extension-token
                          ; values are not case-sensitive

        disposition-parm := filename-parm / parameter

        filename-parm := "filename" "=" value;

Anyways the patch is attached which is an ordinary trim.

rfay’s picture

I do confirm this problem with flickr photos and that the patch in #4 resolves it.

rfay’s picture

And I confirm that the same problem exists in D6.

attiks’s picture

Status: Needs review » Reviewed & tested by the community

ran into the same problem, this works

clemens.tolboom’s picture

budda’s picture

No I think the two issues are different.

The other issue is about files with no extension falling back to using mime headers to add an extension on to the filename before saving.
This one seems to be about catering for dodgy http headers with newslines.

quicksketch’s picture

Status: Reviewed & tested by the community » Fixed

Thanks guys, finally committed this patch. Simple enough, thanks for the work and testing!

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.