View Issue Details

WikiJump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0001063mantisbtinstallationpublic2001-10-29 06:302014-10-02 18:21
Reporteraarjona Assigned Tograngeway  
PrioritynormalSeverityminorReproducibilityN/A
Status closedResolutionno change required 
Summary0001063: About file uploads
Description

I think the following folder should be created at installation:
$MANTIS/uploads/projects

When a new project is created, say "New Website", the following folders are created automatically.
$MANTIS/uploads/projects/new_website/files
$MANTIS/uploads/projects/new_website/docs

The project upload path should default to $MANTIS/uploads/projects/new_website, but making the /uploads/projects part not editable from the textbox.

I think that would lessen the possibility of shooting oneself in the foot.

Also would be nice if when deleting the project there was a checkbox saying "Delete uploaded files folder?"

TagsNo tags attached.

Relationships

related to 0007186 acknowledged Auto generate upload directories 
related to 0012942 closeddregad Can't update project documentation file 
child of 0004181 closed Features in Mantis 1.1 release 

Activities

prescience

prescience

2001-10-29 08:56

reporter   ~0001504

Sounds good. I'll be improving this for the 0.16.0 release when I also get db upload/download working.
jacob

jacob

2001-11-13 01:22

reporter   ~0001575

Uploading to the same directory where all .php files are stored is a serious security hazard: Anybody could upload a .php file and then execute it...
prescience

prescience

2001-11-13 20:48

reporter   ~0001582

Thanks, noted.
bretrzaun

bretrzaun

2002-08-30 02:25

reporter   ~0003205

What is the status of this ?
0.16.0 already passed by.
Right now, the upload to disk is messy.
brody

brody

2002-08-30 05:47

reporter   ~0003209

upload to database does work well.
aarjona

aarjona

2002-08-30 07:45

reporter   ~0003211

Since the project name can be changed, I think it's necesary to use the id number instead.

$MANTIS/uploads/projects/34/files

where 34 is the project id, which remains constant
jlatour

jlatour

2004-08-09 05:10

reporter   ~0006853

Some of these concerns have been answered, the rest we should probably still look into (i.e. removing uploaded files, if that isn't already implemented).
kgrubbs

kgrubbs

2004-10-15 09:39

reporter   ~0008057

Looks like the feature I reported (0004627) is related to this one... However, in aarjona's description... he talks about $MANTIS/uploads/projects (I'll call this $UPLOADS_BASE_DIR). I really think that location should be configurable in the config file... so that all projects save files to the same place, and the path in $UPLOADS_BASE_DIR isn't written to the database. That way you can move where your files are saved by changing $UPLOADS_BASE_DIR and the database doesnt have the full path to where the file "used" to be.
polzin

polzin

2004-11-09 05:45

reporter   ~0008299

Last edited: 2004-11-09 05:53

Probably not the right place to put this quesion, but:

Is there a good reason, why the the filenames that are generated are
first carefully composed out of bug-id and filename
and the smashed by "file_generate_unique_name" (core/file_api.h:532, in 0.19.1) into an md5 number like 00cb38b57904cbca220ced20a3e2508.

I would prefer to see the original file name.

http://cvs.sourceforge.net/viewcvs.py/mantisbt/mantisbt/core/file_api.php?r1=1.52&r2=1.53

I saw in CVS that this is considered a security issue, as one could upload a file and executed it. Obviously it is safer if the files are not uploaded to a directory that could be accessed via www, but this has to be assured by the configuration so it is probably better, to fix is issue even for bad configurations.

My suggestion would be:

Append the filename with an md5 sum. So one can see the original filename and still there is no security problem.

replace in file_api.php
<pre>
$t_disk_file_name = $t_file_path . file_generate_unique_name( $t_file_hash . '-' . $p_file_name, $t_file_path );
</pre>

by:

<pre>
$t_disk_file_name = $t_file_path . $t_file_hash . '-' . file_generate_unique_name( $p_file_name, $t_file_path ) . '-' . $p_file_name ;
</pre>

(The above lines are wrapped by a mantis preformatted text bug 0004762)
polzin

polzin

2004-11-09 05:58

reporter   ~0008300

at 0001063:0006853:
If you press "Delete" at an attached file, it is deleted on the disk. So this works. Is this the thing you ment?
grangeway

grangeway

2014-09-22 15:33

reporter   ~0041273

I'm resolving this issue as "no change required" - I believe the functionality described in this issue is actually implemented in the latest versions of Mantis - albeit, you need to use the per-project configuration to set custom paths for each project.

In addition this was added before the ability to save files in the database existed, so may be less relevant in a modern mantis installation.

Thanks
Paul (paul@mantisforge.org)

Issue History

Date Modified Username Field Change
2004-08-09 05:10 jlatour Note Added: 0006853
2004-08-09 05:11 jlatour Relationship added child of 0004181
2004-10-15 09:39 kgrubbs Note Added: 0008057
2004-11-09 05:45 polzin Note Added: 0008299
2004-11-09 05:46 polzin Note Edited: 0008299
2004-11-09 05:53 polzin Note Edited: 0008299
2004-11-09 05:58 polzin Note Added: 0008300
2009-05-31 12:19 grangeway Assigned To prescience =>
2009-05-31 12:19 grangeway Status assigned => acknowledged
2011-12-31 11:22 dregad Relationship added related to 0007186
2012-08-08 09:59 dregad Relationship added related to 0012942
2014-09-22 15:33 grangeway Note Added: 0041273
2014-09-22 15:33 grangeway Status acknowledged => resolved
2014-09-22 15:33 grangeway Resolution open => no change required
2014-09-22 15:33 grangeway Assigned To => grangeway
2014-10-02 18:21 atrol Status resolved => closed