When downloading a photo with an ampersand in it (assuming your file system driver didn't remove it upon import), the renderImmediate function in DownloadItem.inc considers the file name to be "malicious".
/* Don't allow malicious URLs */
$fileName = GalleryUtilities::getRequestVariables('fileName');
if (!empty($fileName) && $fileName != $pseudoFileName) {
return GalleryCoreApi::error(GALLERY_ERROR, __FILE__, __LINE__, 'malicious url');
}
In this code, after getting the result from getRequestVariables, we should insert:
GalleryUtilities::unsanitizeInputValues($fileName);
cause otherwise getRequestVariables would return a variable with HTML-encoded characters.
Logged In: YES
user_id=70034
Originator: NO
Thanks for the report. However, G2 does not allow & < > " characters in item path components, so there should not be any valid case where & is in $pseudoFileName.