We have a client who uploaded a few files with names like the following:

  • 49ers%20mat.jpg
  • bucs%20mat.jpg
  • chargers%20mat.jpg
  • eagles%20mat.jpg
  • rams%20mat.jpg
  • steelers%20mat.jpg

My guess is that when the user downloaded the images originally, they used IE, which stupidly does not url-decode the file names before providing the user with the default file name in the "Save" box.

Regardless of how the images got filenames like that, they wreak havoc with ImageCache. After uploading the images, ImageCache does not generate thumbnails and errors like the following appear in the watchdog log every time a page containing them is viewed:

404: Unable to find files/chargers mat.jpg

When I renamed the files on the server, replacing "%20" with spaces, the thumbnail images displayed correctly, but then FileField produced warnings that it could no longer locate the files.

It appears that ImageCache is unescaping the filename string from what is stored in the database, which is not safe if an escape sequence is part of the filename.

Members fund testing for the Drupal project. Drupal Association Learn more


GuyPaddock’s picture

GuyPaddock’s picture

GuyPaddock’s picture

Status: Active » Needs review
4.14 KB

Attached is a patch to correct the issue. Unlike the approach taken by similar issues, this solution does not require an .htaccess change, nor does it affect the naming of files during upload. Instead, it parses the raw image path out of the request URI, allowing the special characters in image filenames to be preserved, without Apache escaping them.

The patch was tested (and passed) with:

  • Public file uploads
  • Private file uploads
  • Files with no spaces or special characters in file name.
  • Files with spaces in file name.
  • Files with plus signs in file name.
  • Files with escaped characters like "%20" in file name.
  • File names that differ only by escaped characters (i.e. "My file.jpg" and "My%20file.jpg").

I wasn't able to test it with clean URLs disabled. I assume it's related to #410200: Without clean URLs ImageCache doesn't create folders or images.

dafeder’s picture

Worked for me - filenames without spaces were failing and now they work fine, no flush or cache clear necessary.

bluegray’s picture


codevoice’s picture


Anonymous’s picture


mahesh e p’s picture

880098_handle_escaped_filenames.patch solves the problem. thanks

i couldn't review the logic. all i came up with >
why do you need "return $result;" at the end of the function _imagecache_extract_preset_and_path_from_uri(&$preset, &$path)

bluegray’s picture

I have a separate issue related to this one. A file with the name file%20name[1].gif is uploaded. The browser requests file%20name%5B1%5D.gif which returns a not found error.

I'm not sure where this should be fixed though...

GuyPaddock’s picture

Attached, please find a revised patch that addresses two issues with the "_imagecache_extract_preset_and_path_from_uri()" function that was provided in the original patch:
- The regular expression that extracts the file paths was not stripping the trailing query string, causing ImageCache preset previews to return 404 errors. This has been corrected so that trailing query strings are stripped.
- Removed the superfluous "return $result;" statement at the end.

If you have already applied the patch from #3, you'll need to reverse it and apply this one instead.

AndyF’s picture


fizk’s picture

Issue tags: +ImageCache 2.x Todo

Marking as ImageCache 2.x Todo.

nicholasruunu’s picture

I'm getting the same problem with åäö, which pretty much all swedish people use.

arski’s picture

or just install transliteration module :p seems to work like magic

lookatyeti’s picture

Version: 6.x-2.0-beta10 » 6.x-2.0-rc1
4.14 KB

Here is an updated patch for the 6.x-2.0-rc1 release.

hllvd’s picture

when you install transliteration module you execute this snipet

 if (module_exists('transliteration')) {
      $filename = transliteration_clean_filename($filename);
    return $output_dir . '/' . $file->fid . '-' .  $filename . '.jpg';

intead of:

return $output_dir . '/' . md5('pdfpreview' . $file->fid) . '.jpg';  

I solve installing transliteration module