View Issue Details

IDProjectCategoryView StatusLast Update
0009454mantisbtpreferencespublic2008-08-03 03:01
Reporternico95 Assigned To 
Status newResolutionopen 
Product Version1.1.1 
Summary0009454: upload a file with his name or a hash conversion ?

I change the code in core\file_api.php in line 632 (version 1.1.1) to store the file with its real name, not with a hash.

Is it possible to allow this or not by a parameters in ?

my code :
//NPL : garde le nom du document joint à une demande
//$t_file_hash = ( 'bug' == $p_table ) ? $t_bug_id : config_get( 'document_files_prefix' ) . '-' . $t_project_id;
//$t_disk_file_name = $t_file_path . file_generate_unique_name( $t_file_hash . '-' . $p_file_name, $t_file_path );
$t_disk_file_name = $t_file_path.$p_file_name;

TagsNo tags attached.


related to 0003540 closedthraxisp Arbitrary code execution through uploads 




2008-07-30 22:59

reporter   ~0018948

Filenames for uploads were hashed to prevent access to specific files if the web server security was compromised.



2008-07-31 03:22

reporter   ~0018949

Ok, I saw the bug 0003540.
But I think if the directory of the uploaded files is not in the web server root, the file name could be not "hashed".

For any users of my society, they need to organize the structure of the directorys in clear.

So I think it will be an interesting parameter...



2008-07-31 09:52

reporter   ~0018957

As for me, I have changed file_api.php code to ADD hash to the real file name: so probably (or I'm wrong?) nobody can guess full filename and access is prevented, but on the other side I can find a file by its name.



2008-08-03 03:01

reporter   ~0019012

Great and good ideae. Why not propose the format of the file to store in ?
hash only
hash and orignal file name
original file name only

Issue History

Date Modified Username Field Change
2008-07-30 03:27 nico95 New Issue
2008-07-30 22:59 thraxisp Note Added: 0018948
2008-07-30 22:59 thraxisp Relationship added related to 0003540
2008-07-31 03:22 nico95 Note Added: 0018949
2008-07-31 09:52 VYu Note Added: 0018957
2008-08-03 03:01 nico95 Note Added: 0019012