Sounds good. I'll be improving this for the 0.16.0 release when I also get db upload/download working.

Uploading to the same directory where all .php files are stored is a serious security hazard: Anybody could upload a .php file and then execute it...

Thanks, noted.

What is the status of this ?
0.16.0 already passed by.
Right now, the upload to disk is messy.

upload to database does work well.

Since the project name can be changed, I think it's necesary to use the id number instead.

$MANTIS/uploads/projects/34/files

where 34 is the project id, which remains constant

Some of these concerns have been answered, the rest we should probably still look into (i.e. removing uploaded files, if that isn't already implemented).

Looks like the feature I reported (0004627) is related to this one... However, in aarjona's description... he talks about $MANTIS/uploads/projects (I'll call this $UPLOADS_BASE_DIR). I really think that location should be configurable in the config file... so that all projects save files to the same place, and the path in $UPLOADS_BASE_DIR isn't written to the database. That way you can move where your files are saved by changing $UPLOADS_BASE_DIR and the database doesnt have the full path to where the file "used" to be.

Probably not the right place to put this quesion, but:

Is there a good reason, why the the filenames that are generated are
first carefully composed out of bug-id and filename
and the smashed by "file_generate_unique_name" (core/file_api.h:532, in 0.19.1) into an md5 number like 00cb38b57904cbca220ced20a3e2508.

I would prefer to see the original file name.

http://cvs.sourceforge.net/viewcvs.py/mantisbt/mantisbt/core/file_api.php?r1=1.52&r2=1.53

I saw in CVS that this is considered a security issue, as one could upload a file and executed it. Obviously it is safer if the files are not uploaded to a directory that could be accessed via www, but this has to be assured by the configuration so it is probably better, to fix is issue even for bad configurations.

My suggestion would be:

Append the filename with an md5 sum. So one can see the original filename and still there is no security problem.

replace in file_api.php
<pre>
$t_disk_file_name = $t_file_path . file_generate_unique_name( $t_file_hash . '-' . $p_file_name, $t_file_path );
</pre>

by:

<pre>
$t_disk_file_name = $t_file_path . $t_file_hash . '-' . file_generate_unique_name( $p_file_name, $t_file_path ) . '-' . $p_file_name ;
</pre>

(The above lines are wrapped by a mantis preformatted text bug 0004762)

at 0001063:0006853:
If you press "Delete" at an attached file, it is deleted on the disk. So this works. Is this the thing you ment?

I'm resolving this issue as "no change required" - I believe the functionality described in this issue is actually implemented in the latest versions of Mantis - albeit, you need to use the per-project configuration to set custom paths for each project.

In addition this was added before the ability to save files in the database existed, so may be less relevant in a modern mantis installation.

Thanks
Paul (paul@mantisforge.org)