View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0001063 | mantisbt | installation | public | 2001-10-29 06:30 | 2014-10-02 18:21 |
Reporter | aarjona | Assigned To | grangeway | ||
Priority | normal | Severity | minor | Reproducibility | N/A |
Status | closed | Resolution | no change required | ||
Summary | 0001063: About file uploads | ||||
Description | I think the following folder should be created at installation: When a new project is created, say "New Website", the following folders are created automatically. The project upload path should default to $MANTIS/uploads/projects/new_website, but making the /uploads/projects part not editable from the textbox. I think that would lessen the possibility of shooting oneself in the foot. Also would be nice if when deleting the project there was a checkbox saying "Delete uploaded files folder?" | ||||
Tags | No tags attached. | ||||
Sounds good. I'll be improving this for the 0.16.0 release when I also get db upload/download working. |
|
Uploading to the same directory where all .php files are stored is a serious security hazard: Anybody could upload a .php file and then execute it... |
|
Thanks, noted. |
|
What is the status of this ? |
|
upload to database does work well. |
|
Since the project name can be changed, I think it's necesary to use the id number instead. $MANTIS/uploads/projects/34/files where 34 is the project id, which remains constant |
|
Some of these concerns have been answered, the rest we should probably still look into (i.e. removing uploaded files, if that isn't already implemented). |
|
Looks like the feature I reported (0004627) is related to this one... However, in aarjona's description... he talks about $MANTIS/uploads/projects (I'll call this $UPLOADS_BASE_DIR). I really think that location should be configurable in the config file... so that all projects save files to the same place, and the path in $UPLOADS_BASE_DIR isn't written to the database. That way you can move where your files are saved by changing $UPLOADS_BASE_DIR and the database doesnt have the full path to where the file "used" to be. |
|
Probably not the right place to put this quesion, but: Is there a good reason, why the the filenames that are generated are I would prefer to see the original file name. http://cvs.sourceforge.net/viewcvs.py/mantisbt/mantisbt/core/file_api.php?r1=1.52&r2=1.53 I saw in CVS that this is considered a security issue, as one could upload a file and executed it. Obviously it is safer if the files are not uploaded to a directory that could be accessed via www, but this has to be assured by the configuration so it is probably better, to fix is issue even for bad configurations. My suggestion would be: Append the filename with an md5 sum. So one can see the original filename and still there is no security problem. replace in file_api.php by: <pre> (The above lines are wrapped by a mantis preformatted text bug 0004762) |
|
at 0001063:0006853: |
|
I'm resolving this issue as "no change required" - I believe the functionality described in this issue is actually implemented in the latest versions of Mantis - albeit, you need to use the per-project configuration to set custom paths for each project. In addition this was added before the ability to save files in the database existed, so may be less relevant in a modern mantis installation. Thanks |
|