Uploaded file is overwritten

I have looked into the code and found one thing that is a bit strange.
If I check “Sanitize Filename” then the code checks if the file exists with the original filename.
It does not exist and then the file is Sanitized and stored with the sanitized name.
Next time I upload a file with the same name, the file still not exists, and then the name is sanitized and the old file is overwritten.

If I instead choose not the have the filenames sanitized I will get a timestamp and wpdm added to the file name and the other file is not overwritten. A better idea is to sanitize the filename before checking if it exists.

Now I have been out skiing cross country and been thinking of the problem.
I have found out that this a critical error that you have to fix at once.

If you not move the code:
if(get_option(‘__wpdm_sanitize_filename’, 0) == 1){
$filename = sanitize_file_name($name);
}else {
$filename = str_replace([“/”, “\\”], “_”, $name);
}

The file exists check you will always have an overwrite of the file if the code changes the value of $filename
In the PRO version as I think that you have much the same server code the checkbox about Overwrite file is obsolete.
It does not matter how the user checks it or not, overwrite is the case.
In the free version where that checkbox does not exist it is always overwrite too.

This behaviour can cause much damage to the user that thinks that he is uploading a new file not replacing an existing one.
Your file exist check checks against a filename that will never exist.

I do not think that you understand what I am saying.
I am a programmer by profession and I think I am pretty good at it! 😉

Your code is not doing what you think it is doing and therefore you have an critical error, both in the free as well as the program.
Lets try once again…

Say I submit a fil named: 01. My File.pdf

This code checks if that file exists and if the option __wpdm_overwrrite_file is set to 1. 1 is overwrite.
If the file exists it is removed.

if(file_exists(UPLOAD_DIR.$name) && get_option(‘__wpdm_overwrrite_file’,0)==1){
@unlink(UPLOAD_DIR.$name);
}

Now you check once more if the file exists. If it did exist in the if-statement above it will not exist now, but if it did not exist
and chunks is not set you will create a new filename, that looks something like this “165123456pdm_01. My File.pdf”.
if(file_exists(UPLOAD_DIR.$name) && !isset($_REQUEST[“chunks”]))
$filename = time().’wpdm_’.$name;
else
$filename = $name;

Now you have a value in $filename that is eigther “165123456pdm_01. My File.pdf” or “01. My File.pdf”

/$filename = esc_html($filename);

In the next if sentence you check if to sanitize the filename.

if(get_option(‘__wpdm_sanitize_filename’, 0) == 1)
$filename = sanitize_file_name($filename);
else {
$filename = str_replace([“/”, “\\”], “_”, $filename);
}
After this if sentences the $filename variable may have changed depending on if it has been sanitized or not. It may have changed if not sanitized too, but in a different way.
I might look something like this “165123456pdm_01_My_File.pdf” or maybe “01_My_File.pdf”.
The format in the sentence about is hypothetic, I would just like to point out that the value of $filename may have changed and it is the value the $filename now is assigned to that is the name of the saved file.

As both “165123456pdm_01_My_File.pdf” and “01_My_File.pdf” differs from the value, “01. My File.pdf” you did perform a file exists check that check has no impact on the stored file what so ever. This will lead to that you might overwrite an existing file without knowing it. And it does not matter how the user of the PRO version have checked the overwrite checkbox. The behaviour of the free version is also always overwrite. I do not know if that is your intension but a pretty dangerous default value.

So I still do not think that the free version neigther the PRO version is working in a acceptable way with the current code.

However if the sanitize or else part does not change the file name and the file is stored as “01. My File.pdf”.
The next time the file exists part will find that the file exists and then the file will be stored as “165123456wpdm_01. My File.pdf”

Are there any updates regarding the progress of this bug?

A new version released but still the same critical error! 🙁

Are you totally ignoring this bug?

Hello!

I am using the free version numbered 3.2.55.
As described many times before in this thread you are not understanding your own code.
I am a programmer since more than 30 years and the bug is a really beginners bug.

In the file src/Admin/Menu/Packages.php in the method upload file on the row 130 you have the following code:
if(file_exists(UPLOAD_DIR.$name) && !isset($_REQUEST[“chunks”]))
$filename = time().’wpdm_’.$name;
else
$filename = $name;

//$filename = esc_html($filename);
if(get_option(‘__wpdm_sanitize_filename’, 0) == 1)
$filename = sanitize_file_name($filename);
else {
$filename = str_replace([“/”, “\\”], “_”, $filename);
}

As it looks to me that you are not able to understand your own code, yes I am really pissed of by now, i will once again explain what it does to you!

This lines of code checks if there is already a file in the upload directory with the name $name. If it is you timestamp the file to stor and ad a wpdm_ part of the name. If it does not exist you will give the $filename variable the value of $name.
if(file_exists(UPLOAD_DIR.$name) && !isset($_REQUEST[“chunks”]))
$filename = time().’wpdm_’.$name;
else
$filename = $name;

In this part of the code you are sanitizeing the filename that option is clicked or change some non wanted characters. This will result in that you might change the value of the variable $filename. The check if the file did exist above is a total waste of time because you are not storing the file by the value you checked if it did exist.
if(get_option(‘__wpdm_sanitize_filename’, 0) == 1)
$filename = sanitize_file_name($filename);
else {
$filename = str_replace([“/”, “\\”], “_”, $filename);
}

The solution is pretty simple, just change the order, first sanitize then check if the file with the sanitized name exist.
$filename = $name;
if(get_option(‘__wpdm_sanitize_filename’, 0) == 1)
$filename = sanitize_file_name($filename);
else {
$filename = str_replace([“/”, “\\”], “_”, $filename);
}

if(file_exists(UPLOAD_DIR.$filename) && !isset($_REQUEST[“chunks”]))
$filename = time().’wpdm_’.$filename;

Please implement that change now! I reported the bug six months ago!