FilterHtmlImageSecure does not support images with spaces in the filename [#2096855]

If you add (upload) an image trough the CK editor and:

That image contains a space in its filename
And you have selected the Basic HTML format
And that Basic HTML format has the "Restrict images to this site" filter enabled

Then the rendered node will have a blocked image icon and the text that the image is blocked due to security reasons.

This caused by the _filter_html_image_secure_process() function.

It searches trough the DOM in the HTML for image tags, extract the src of them and uses that path to see if it is an internal URL and if the image exists.

The HTML has the rawurl encoded version of the filename. This means that the space is in the src rendered as "%20".
Using that path to get the imagesize breaks because the file is not found.

Comment	File	Size	Author
#13	filter_html_image_secure_process-2096855-13-fail.patch	1.7 KB	zero2one
#13
#13	filter_html_image_secure_process-2096855-13-pass.patch	2.38 KB	zero2one
#13
#12	filter_html_image_secure_process-2096855-12-fail.patch	1.81 KB	zero2one
#12
#12	filter_html_image_secure_process-2096855-12-pass.patch	2.5 KB	zero2one
#12
#11	filter_html_image_secure_process-2096855-11-fail.patch	1.81 KB	zero2one
#11
#11	filter_html_image_secure_process-2096855-11-pass.patch	2.5 KB	zero2one
#11
#9	filter_html_image_secure_process-2096855-9-fail.patch	1.73 KB	zero2one
#9
#9	filter_html_image_secure_process-2096855-9-pass.patch	2.42 KB	zero2one
#9
#6	filter_html_image_secure_process-2096855-5-fail.patch	1.83 KB	zero2one
#6
#6	filter_html_image_secure_process-2096855-5-pass.patch	2.52 KB	zero2one
#6
#3	filter_html_image_secure_process-2096855-7894861.patch	2.59 KB	zero2one
#3
#1	filter_html_image_secure_process_support_spaces-2096855.patch	818 bytes	zero2one
#1

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

zero2one CreditAttribution: zero2one commented 24 September 2013 at 14:58

Status:

Active

» Needs review

File	Size
filter_html_image_secure_process_support_spaces-2096855.patch	818 bytes

I created a patch for this:

It first passes the rawurl encoded src of the image trough the rawurldecode function.
And uses the result to get the image size.

Comment #2

larowlan

🇦🇺🏝.au GMT+10

CreditAttribution: larowlan commented 24 September 2013 at 19:22

Issue tags:

+Needs tests

Thanks, can you also add this scenario to the tests for that filter?

Comment #3

zero2one CreditAttribution: zero2one commented 24 September 2013 at 23:42

File	Size
filter_html_image_secure_process-2096855-7894861.patch	2.59 KB

Added the scenario's to the tests.

Please review the test code.

Comment #4

larowlan

🇦🇺🏝.au GMT+10

CreditAttribution: larowlan commented 24 September 2013 at 23:46

+++ b/core/modules/filter/lib/Drupal/filter/Tests/FilterHtmlImageSecureTest.php
@@ -91,6 +91,13 @@ function testImageSource() {
+    ¶

There's some trailing whitespace here

+++ b/core/modules/filter/lib/Drupal/filter/Tests/FilterHtmlImageSecureTest.php
@@ -91,6 +91,13 @@ function testImageSource() {
+    // @see https://drupal.org/node/2096855#comment-7894015

We don't normally reference fixes in comments, can you remove this @see?

Can we get two versions of the patch, one that is 'tests only' i.e. doesn't include the fix.
And a second one that is tests + fix.
If you upload them to the same comment, with the tests only one first, we should see 'fail' then 'pass' for the patches.
This give the committer confidence that a) we've found the problem b) we have a test so it never breaks again c) we have a fix

Thanks!

Comment #5

larowlan

🇦🇺🏝.au GMT+10

CreditAttribution: larowlan commented 24 September 2013 at 23:46

Issue tags:

-Needs tests

Tag can go, we have tests now

Comment #6

zero2one CreditAttribution: zero2one commented 24 September 2013 at 23:55

Issue tags:

+Needs tests

File	Size
filter_html_image_secure_process-2096855-5-pass.patch	2.52 KB

filter_html_image_secure_process-2096855-5-fail.patch	1.83 KB

This are the patches:

One that has the test, but that fails because of the fix not in place.
One that has the test, and passes because of the fix

I also removed the whitespace.

Comment #7

larowlan

🇦🇺🏝.au GMT+10

CreditAttribution: larowlan commented 25 September 2013 at 00:27

Just nitpicks now

+++ b/core/modules/filter/lib/Drupal/filter/Tests/FilterHtmlImageSecureTest.php
@@ -92,6 +92,12 @@ function testImageSource() {
+    // Put a test image in the files directory with special filename

(nitpick) needs a . on end of line as per coding standards (see node/1354)

+++ b/core/modules/filter/lib/Drupal/filter/Tests/FilterHtmlImageSecureTest.php
@@ -92,6 +92,12 @@ function testImageSource() {
+    $special_base_uri = str_replace($test_images[0]->filename, NULL, $test_images[0]->uri);

I think there might be a function to do this, basepath perhaps?

+++ b/core/modules/filter/lib/Drupal/filter/Tests/FilterHtmlImageSecureTest.php
@@ -92,6 +92,12 @@ function testImageSource() {
+    $special_image    = rawurlencode($special_filename);

no need for indent/alignment I think

Comment #8

larowlan

🇦🇺🏝.au GMT+10

CreditAttribution: larowlan commented 25 September 2013 at 00:27

Issue tags:

-Needs tests

crosspost

Comment #9

zero2one CreditAttribution: zero2one commented 25 September 2013 at 05:30

File	Size
filter_html_image_secure_process-2096855-9-pass.patch	2.42 KB

filter_html_image_secure_process-2096855-9-fail.patch	1.73 KB

I refactored the code to match the standards.

I removed the code to get the base path, the file is in stored in the root of the public folder (public://) anyway.

Comment #10

25 September 2013 at 07:08

Status:

Needs review

» Needs work

The last submitted patch, filter_html_image_secure_process-2096855-9-pass.patch, failed testing.

Comment #11

zero2one CreditAttribution: zero2one commented 25 September 2013 at 07:19

File	Size
filter_html_image_secure_process-2096855-11-pass.patch	2.5 KB

filter_html_image_secure_process-2096855-11-fail.patch	1.81 KB

public:// worked locally but not on the d.o test bot.

Reverted the code to a string_replace. It's less environment dependent.

Comment #12

zero2one CreditAttribution: zero2one commented 25 September 2013 at 08:41

Status:

Needs work

» Needs review

File	Size
filter_html_image_secure_process-2096855-12-pass.patch	2.5 KB

filter_html_image_secure_process-2096855-12-fail.patch	1.81 KB

Changed issue status

Comment #13

zero2one CreditAttribution: zero2one commented 26 September 2013 at 16:04

File	Size
filter_html_image_secure_process-2096855-13-pass.patch	2.38 KB

filter_html_image_secure_process-2096855-13-fail.patch	1.7 KB

Removed the change of the file mode of the settings.php file from the patch.

Comment #14

Wim Leers

Ghent 🇧🇪🇪🇺

CreditAttribution: Wim Leers commented 26 September 2013 at 16:23

Status:

Needs review

» Reviewed & tested by the community

I asked for a reroll in person of #13 because it contained an inappropriate permission change.

Now the patch is perfect. Nice and simple, additional test coverage to prevent regressions, a fail and pass patch to prove it works.

Thanks! :)

Comment #15

Wim Leers

Ghent 🇧🇪🇪🇺

CreditAttribution: Wim Leers commented 30 September 2013 at 16:56

Title:

The "Restrict images to this site" filter does not support images with spaces in the filename

» FilterHtmlImageSecure does not support images with spaces in the filename

Comment #16

webchick

she/they

English

Vancouver 🇨🇦

CreditAttribution: webchick commented 2 October 2013 at 16:51

Status:

Reviewed & tested by the community

» Fixed

Awesome work!

Committed and pushed to 8.x. Thanks!

Comment #17

16 October 2013 at 17:00

Status:

Fixed

» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Comment #18

hass CreditAttribution: hass commented 6 November 2013 at 11:39

Version:	8.x-dev	» 7.x-dev
Issue summary:	View changes
Status:	Closed (fixed)	» Patch (to be ported)
Issue tags:		+Needs backport to 7.x
Related issues:		+#2125301: %20 in image file names triggers the "local images only" filter

3 files were hidden/shown/deleted

File	Size
filter_html_image_secure_process-2096855-11-fail.patch	1.81 KB

filter_html_image_secure_process-2096855-12-pass.patch	2.5 KB

filter_html_image_secure_process-2096855-12-fail.patch	1.81 KB