Erik Turesson

Hello!

I am using the free version numbered 3.2.55.
As described many times before in this thread you are not understanding your own code.
I am a programmer since more than 30 years and the bug is a really beginners bug.

In the file src/Admin/Menu/Packages.php in the method upload file on the row 130 you have the following code:
if(file_exists(UPLOAD_DIR.$name) && !isset($_REQUEST[“chunks”]))
$filename = time().’wpdm_’.$name;
else
$filename = $name;

//$filename = esc_html($filename);
if(get_option(‘__wpdm_sanitize_filename’, 0) == 1)
$filename = sanitize_file_name($filename);
else {
$filename = str_replace([“/”, “\\”], “_”, $filename);
}

As it looks to me that you are not able to understand your own code, yes I am really pissed of by now, i will once again explain what it does to you!

This lines of code checks if there is already a file in the upload directory with the name $name. If it is you timestamp the file to stor and ad a wpdm_ part of the name. If it does not exist you will give the $filename variable the value of $name.
if(file_exists(UPLOAD_DIR.$name) && !isset($_REQUEST[“chunks”]))
$filename = time().’wpdm_’.$name;
else
$filename = $name;

In this part of the code you are sanitizeing the filename that option is clicked or change some non wanted characters. This will result in that you might change the value of the variable $filename. The check if the file did exist above is a total waste of time because you are not storing the file by the value you checked if it did exist.
if(get_option(‘__wpdm_sanitize_filename’, 0) == 1)
$filename = sanitize_file_name($filename);
else {
$filename = str_replace([“/”, “\\”], “_”, $filename);
}

The solution is pretty simple, just change the order, first sanitize then check if the file with the sanitized name exist.
$filename = $name;
if(get_option(‘__wpdm_sanitize_filename’, 0) == 1)
$filename = sanitize_file_name($filename);
else {
$filename = str_replace([“/”, “\\”], “_”, $filename);
}

if(file_exists(UPLOAD_DIR.$filename) && !isset($_REQUEST[“chunks”]))
$filename = time().’wpdm_’.$filename;

Please implement that change now! I reported the bug six months ago!

I can see that you have made a number of releases of the Download Manager but this error still exists in the code!
Why?
Do you not understand what the problem is?

Are there any updates regarding the progress of this bug?

So please read my posts and your code very carefully and then you will hopefully understand what the problem is.

One more clarification:
You will never get a file named “165123456pdm_01. My File.pdf” if the later sanitize of else part of that if changes the name of the file.

You perform a file exists check against “01. My File.pdf” but you store the file with the name “01_My_File.pdf”
The next time I submit a file named “01. My File.pdf” it will still not exist and then you once again store the file as “01_My_File.pdf”.
A non detected overwrite! 🙁
Both in the free as well as in the PRO version

Now I have been out skiing cross country and been thinking of the problem.
I have found out that this a critical error that you have to fix at once.

If you not move the code:
if(get_option(‘__wpdm_sanitize_filename’, 0) == 1){
$filename = sanitize_file_name($name);
}else {
$filename = str_replace([“/”, “\\”], “_”, $name);
}

The file exists check you will always have an overwrite of the file if the code changes the value of $filename
In the PRO version as I think that you have much the same server code the checkbox about Overwrite file is obsolete.
It does not matter how the user checks it or not, overwrite is the case.
In the free version where that checkbox does not exist it is always overwrite too.

This behaviour can cause much damage to the user that thinks that he is uploading a new file not replacing an existing one.
Your file exist check checks against a filename that will never exist.

In the file download-manager\src\Admin\Menu\Packages.php
Change this code:
if(file_exists(UPLOAD_DIR.$name) && get_option(‘__wpdm_overwrrite_file’,0)==1){
@unlink(UPLOAD_DIR.$name);
}
if(file_exists(UPLOAD_DIR.$name) && !isset($_REQUEST[“chunks”]))
$filename = time().’wpdm_’.$name;
else
$filename = $name;

/$filename = esc_html($filename);

if(get_option(‘__wpdm_sanitize_filename’, 0) == 1)
$filename = sanitize_file_name($filename);
else {
$filename = str_replace([“/”, “\\”], “_”, $filename);
}

To this:
if(get_option(‘__wpdm_sanitize_filename’, 0) == 1){
$filename = sanitize_file_name($name);
}else {
$filename = str_replace([“/”, “\\”], “_”, $name);
}

if(file_exists(UPLOAD_DIR.$filename) && get_option(‘__wpdm_overwrrite_file’,0)==1){
@unlink(UPLOAD_DIR.$filename);
}
if(file_exists(UPLOAD_DIR.$filename) && !isset($_REQUEST[“chunks”])){
$filename = time().’wpdm_’.$filename;
}

Yes I have understood that but I think that giving an error saying that this file already exists is not a PRO feature.
I have no demand for any other option. Just stop users from damage already uploaded files.

Previously I thought that your directory structure was something like the medialibrary structure, but now I have found out that you only have one single directory.