View Issue Details

IDProjectCategoryView StatusLast Update
0001063mantisbtinstallationpublic2014-10-02 18:21
Reporteraarjona Assigned Tograngeway  
Status closedResolutionno change required 
Summary0001063: About file uploads

I think the following folder should be created at installation:

When a new project is created, say "New Website", the following folders are created automatically.

The project upload path should default to $MANTIS/uploads/projects/new_website, but making the /uploads/projects part not editable from the textbox.

I think that would lessen the possibility of shooting oneself in the foot.

Also would be nice if when deleting the project there was a checkbox saying "Delete uploaded files folder?"

TagsNo tags attached.


related to 0007186 acknowledged Auto generate upload directories 
related to 0012942 closeddregad Can't update project documentation file 
child of 0004181 closed Features in Mantis 1.1 release 




2001-10-29 08:56

reporter   ~0001504

Sounds good. I'll be improving this for the 0.16.0 release when I also get db upload/download working.



2001-11-13 01:22

reporter   ~0001575

Uploading to the same directory where all .php files are stored is a serious security hazard: Anybody could upload a .php file and then execute it...



2001-11-13 20:48

reporter   ~0001582

Thanks, noted.



2002-08-30 02:25

reporter   ~0003205

What is the status of this ?
0.16.0 already passed by.
Right now, the upload to disk is messy.



2002-08-30 05:47

reporter   ~0003209

upload to database does work well.



2002-08-30 07:45

reporter   ~0003211

Since the project name can be changed, I think it's necesary to use the id number instead.


where 34 is the project id, which remains constant



2004-08-09 05:10

reporter   ~0006853

Some of these concerns have been answered, the rest we should probably still look into (i.e. removing uploaded files, if that isn't already implemented).



2004-10-15 09:39

reporter   ~0008057

Looks like the feature I reported (0004627) is related to this one... However, in aarjona's description... he talks about $MANTIS/uploads/projects (I'll call this $UPLOADS_BASE_DIR). I really think that location should be configurable in the config file... so that all projects save files to the same place, and the path in $UPLOADS_BASE_DIR isn't written to the database. That way you can move where your files are saved by changing $UPLOADS_BASE_DIR and the database doesnt have the full path to where the file "used" to be.



2004-11-09 05:45

reporter   ~0008299

Last edited: 2004-11-09 05:53

Probably not the right place to put this quesion, but:

Is there a good reason, why the the filenames that are generated are
first carefully composed out of bug-id and filename
and the smashed by "file_generate_unique_name" (core/file_api.h:532, in 0.19.1) into an md5 number like 00cb38b57904cbca220ced20a3e2508.

I would prefer to see the original file name.

I saw in CVS that this is considered a security issue, as one could upload a file and executed it. Obviously it is safer if the files are not uploaded to a directory that could be accessed via www, but this has to be assured by the configuration so it is probably better, to fix is issue even for bad configurations.

My suggestion would be:

Append the filename with an md5 sum. So one can see the original filename and still there is no security problem.

replace in file_api.php
$t_disk_file_name = $t_file_path . file_generate_unique_name( $t_file_hash . '-' . $p_file_name, $t_file_path );


$t_disk_file_name = $t_file_path . $t_file_hash . '-' . file_generate_unique_name( $p_file_name, $t_file_path ) . '-' . $p_file_name ;

(The above lines are wrapped by a mantis preformatted text bug 0004762)



2004-11-09 05:58

reporter   ~0008300

at 0001063:0006853:
If you press "Delete" at an attached file, it is deleted on the disk. So this works. Is this the thing you ment?



2014-09-22 15:33

reporter   ~0041273

I'm resolving this issue as "no change required" - I believe the functionality described in this issue is actually implemented in the latest versions of Mantis - albeit, you need to use the per-project configuration to set custom paths for each project.

In addition this was added before the ability to save files in the database existed, so may be less relevant in a modern mantis installation.

Paul (