Can't upload macOS screenshots with default filename due to no_double_extension check #1910

New Issue

Closed

opened 2026-02-05 02:11:06 +03:00 by OVERLORD · 1 comment

OVERLORD commented 2026-02-05 02:11:06 +03:00

Owner

Copy Link

Originally created by @abulgatz on GitHub (Oct 20, 2020).

Describe the bug
Mac screenshots taken with control + command + shift + 3 (or 4) are automatically saved to the desktop as a png with filename: Screen Shot YYYY-MM-DD at HH.MM.SS AM.png.

The extra periods in the filename fail the no_double_extension check the Bookstack runs on all uploaded images, so macOS screenshots can't be uploaded to Bookstack without renaming them.

Steps To Reproduce
Steps to reproduce the behavior:

1. On macOS
2. Take a screenshot with control + command + shift + 3 or control + command + shift + 4
3. Edit any page in Bookstack
4. Insert image
5. Click to upload
6. Try to upload the screenshot just taken from the Desktop
7. Error: "The file must only have a single file extension"

Expected behavior
Bookstack shouldn't care about extra dots in a filename.

Screenshots

Additional context
I don't think there's any reason that Bookstack should care about periods in a filename. If Bookstack needs an extension, it's easy enough to grab any text after the last dot. Is there something that would break if the no_double_extension was just removed? I can't think of any other web or desktop apps that reject extra periods in a filename.

Originally created by @abulgatz on GitHub (Oct 20, 2020). **Describe the bug** Mac screenshots taken with <kbd>control</kbd> + <kbd>command</kbd> + <kbd>shift</kbd> + <kbd>3</kbd> (or <kbd>4</kbd>) are automatically saved to the desktop as a png with filename: `Screen Shot YYYY-MM-DD at HH.MM.SS AM.png`. The extra periods in the filename fail the `no_double_extension` check the Bookstack runs on all uploaded images, so macOS screenshots can't be uploaded to Bookstack without renaming them. **Steps To Reproduce** Steps to reproduce the behavior: 1. On macOS 2. Take a screenshot with <kbd>control</kbd> + <kbd>command</kbd> + <kbd>shift</kbd> + <kbd>3</kbd> or <kbd>control</kbd> + <kbd>command</kbd> + <kbd>shift</kbd> + <kbd>4</kbd> 2. Edit any page in Bookstack 3. Insert image 4. Click to upload 5. Try to upload the screenshot just taken from the Desktop 6. Error: "The file must only have a single file extension" **Expected behavior** Bookstack shouldn't care about extra dots in a filename. **Screenshots** <img width="200" alt="image" src="https://user-images.githubusercontent.com/1438193/96538723-d124ae80-125e-11eb-8576-639e356657de.png"> **Additional context** I don't think there's any reason that Bookstack should care about periods in a filename. If Bookstack needs an extension, it's easy enough to grab any text after the last dot. Is there something that would break if the `no_double_extension` was just removed? I can't think of any other web or desktop apps that reject extra periods in a filename.

OVERLORD added the :cat2:🐈 Possible duplicate label 2026-02-05 02:11:06 +03:00

OVERLORD closed this issue 2026-02-05 02:11:07 +03:00

OVERLORD commented 2026-02-05 02:11:12 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Dec 11, 2020):

Thanks for reporting this @abulgatz.
Since this is already open under #2217 I'm going to close this off as a duplicate.

The no_double_extension check is done on purpose to avoid a range of potential path-based attacks in addition to avoiding some potential attacks based off of how Apache can interpret some file name/extension formats.

It was a rather hastily added patch though when needing to do so in the name of security. As said in #2217, We could probably do better by just replacing/removing any additional periods within the name.

@ssddanbrown commented on GitHub (Dec 11, 2020): Thanks for reporting this @abulgatz. Since this is already open under #2217 I'm going to close this off as a duplicate. The `no_double_extension` check is done on purpose to avoid a range of potential path-based attacks in addition to avoiding some potential attacks based off of how Apache can interpret some file name/extension formats. It was a rather hastily added patch though when needing to do so in the name of security. As said in #2217, We could probably do better by just replacing/removing any additional periods within the name.

OVERLORD referenced this issue 2026-02-05 04:40:37 +03:00

[Feature Request]: Stay logged in button #2633

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

l10n_development

further_theme_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

No Label :cat2:🐈 Possible duplicate

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#1910