0004661: Path in file upload doesn't contains any backslashes in db - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0004661	mantisbt	documentation	public	2004-10-05 01:49	2004-11-06 06:22

Reporter	PatPowerMan	Assigned To	thraxisp
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	no change required
Product Version	0.19.0

Summary	0004661: Path in file upload doesn't contains any backslashes in db
Description	If I upload a file to disk, the db-entry in the table mantis_project_file_table (field diskfile) doesn't contain any backslashes.
Additional Information	I work on a W2k3-Server with IIS6 and have configured the upload path in the project-settings. Actually a path in the above field looks like this: C:inetpubwwwrootphpmantisDokus12424741274223410d it should be c:\inetpub\wwwroot\php\mantis\Dokus\12424741274223410d
Tags	No tags attached.

PatPowerMan 2004-10-06 03:48 reporter ~0007932	I think, I've found the error (for my Win/IIS-environment only?): If you change '$t_disk_file_name' to '$c_disk_file_name' in row 99 in the file 'proj_doc_add.php', the correct path will be written to the table 'mantis_project_file_table' (including backslashes). I'm not sure if this is the right way for a possible solution. If not, please tell me how I should report it in the future. How could this be added in a next version? Filename: proj_doc_add.php Complete OLD row 99: ($t_project_id, '$c_title', '$c_description', '$t_disk_file_name', '$c_file_name', '$c_file_path', $c_file_size, '$c_file_type', " . db_now() .", '$c_content')"; Complete NEW row 99: ($t_project_id, '$c_title', '$c_description', '$t_disk_file_name', '$c_file_name', '$c_file_path', $c_file_size, '$c_file_type', " . db_now() .", '$c_content')";

thraxisp 2004-10-06 05:48 reporter ~0007933	Could you retest this with the latest version from CVS? I believe that I fixed this last week for 0.19.1.

PatPowerMan 2004-10-06 06:52 reporter ~0007934 Last edited: 2004-10-06 07:36	I'm not familiar with CVS - pls give me some time, I have to learn this first .-) Hmm: connect to cvs.sourceforge.net:2401 failed - our corporate firewall doesn't like this port... How can I use the CVS "offline"? bearbeitet am: 10-06-04 07:36

PatPowerMan 2004-10-06 15:05 reporter ~0007940	CVS works@home .-) I have tested the 'project_doc_add.php' 1.45 and it works: the backslashes are written correctly to the database-field 'diskfile'. BUT: Why do you rename the uploaded files on disk to names like 2bb562e5c4db46b7c45947002e5fa9b6? Can they not keep the original names like "my wonderfull excel-sheet.xls"?

thraxisp 2004-10-06 16:57 reporter ~0007941	The obfuscated file names are part of our security measures if the file upload directory are within the mantis root directory. In this case, they are accessible to anyone with a browser. Obfuscation helps with this and malicious file uploading.

thraxisp 2004-10-06 16:58 reporter ~0007942	fixed by an earlier submission.

View Issue Details

Activities