0009454: upload a file with his name or a hash conversion ?

ID	Project	Category	View Status	Date Submitted	Last Update
0009454	mantisbt	preferences	public	2008-07-30 03:27	2008-08-03 03:01

Reporter	nico95	Assigned To
Priority	normal	Severity	minor	Reproducibility	N/A
Status	new	Resolution	open
Product Version	1.1.1

Summary	0009454: upload a file with his name or a hash conversion ?
Description	I change the code in core\file_api.php in line 632 (version 1.1.1) to store the file with its real name, not with a hash. Is it possible to allow this or not by a parameters in config.inc.php ? my code : //NPL : garde le nom du document joint à une demande //$t_file_hash = ( 'bug' == $p_table ) ? $t_bug_id : config_get( 'document_files_prefix' ) . '-' . $t_project_id; //$t_disk_file_name = $t_file_path . file_generate_unique_name( $t_file_hash . '-' . $p_file_name, $t_file_path ); $t_disk_file_name = $t_file_path.$p_file_name; //-NPL
Tags	No tags attached.

thraxisp 2008-07-30 22:59 reporter ~0018948	Filenames for uploads were hashed to prevent access to specific files if the web server security was compromised.

nico95 2008-07-31 03:22 reporter ~0018949	Ok, I saw the bug 0003540. But I think if the directory of the uploaded files is not in the web server root, the file name could be not "hashed". For any users of my society, they need to organize the structure of the directorys in clear. So I think it will be an interesting parameter...

VYu 2008-07-31 09:52 reporter ~0018957	As for me, I have changed file_api.php code to ADD hash to the real file name: so probably (or I'm wrong?) nobody can guess full filename and access is prevented, but on the other side I can find a file by its name.

nico95 2008-08-03 03:01 reporter ~0019012	Great and good ideae. Why not propose the format of the file to store in config.inc.php ? hash only hash and orignal file name original file name only ...