Savane - Bugs: bug #678, (CERN) Fix code related to size... [Gna!]

Savane - Bugs: bug #678, (CERN) Fix code related to size...

Group

Main
- Main
- View Members
- Search
Homepage
Download
Docs
- Browse
- Submit
- Edit
- Digest
- Export
- Search
Support
- Browse
- Reset to all open ones
- Submit
- Digest
- Export
- View Statistics
- Search
Mailing Lists
Source Code
- Use Subversion
- Browse Sources Repository
Bugs
- Browse
- Reset to all open ones
- Submit
- Digest
- Export
- View Statistics
- Search
Tasks
- Browse
- Reset to all open ones
- Submit
- Digest
- Export
- View Statistics
- Search
News
- Browse
- Atom Feed
- Submit
- Manage

Show feedback again

You are not allowed to post comments on this tracker with your current authentification level.

bug #678: (CERN) Fix code related to size checking of attached files

Submitted by:	Mathieu Roy <yeupou>
Submitted on:	Mon 06 Sep 2004 05:00:29 PM UTC

Category:	None	Status:	Fixed
Severity:	1 - Wish	Priority:	A - Later
Assigned to:	Mathieu Roy <yeupou>	Open/Closed:	Closed
Release:	1.0.1-CERN	Planned Release:
Reproducibility:	None	Privacy:	Public

Tue 07 Sep 2004 03:19:56 PM UTC, comment #2:

About
http://savannah.cern.ch/bugs/?func=detailitem&item_id=4065

-> It is not a bug that the update is sent even if the attachment failed, since we do not refuse the bug posting and the rest of the submitted data is well registered.

-> strlen() is maybe not very efficient for large files, but what else? BTW, on large files, apache/PHP should drop the request by itself.

-> I believe it is on purpose that the filesize test is made after the addslashes(). Otherwise, why not using only filesize(). It is confusing for users, I'm willing to admit it. But file upload is something very sensitive when it comes to webservers, frequently used for exploit. We're forced to rush addslashes() when inserting data in the database to avoid malicious exploits. But I guess someone could act maliciously if we do filesize checks before the addslashes: someone could forge a file to triple the size after the addslashes() call, so he could upload a file way way bigger than the limit that would pass the check.
So in fact, we should probably explain the reason of the refusal more in details, but not change the test.

The applied solution is to feedback the exact size found, after calling addslashes(), in case of refusal.

Mathieu Roy <yeupou>
Project Administrator

Tue 07 Sep 2004 03:16:20 PM UTC, comment #1:

About
http://savannah.cern.ch/bugs/?func=detailitem&item_id=4065

-> It is not a bug that the update is sent even if the attachment failed, since we do not refuse the bug posting and the rest of the submitted data is well registered.

-> strlen() is maybe not very efficient for large files, but what else? BTW, on large files, apache/PHP should drop the request by itself.

Mathieu Roy <yeupou>
Project Administrator

Mon 06 Sep 2004 05:00:29 PM UTC, original submission:

Fix code related to size checking of attached files
- include/trackers/general.php

Mathieu Roy <yeupou>
Project Administrator

No files currently attached

Depends on the following items: None found

Items that depend on this one

Branch DEV_2004-09-06_CERN (task #733, Done)

Digest:
task dependencies.

Carbon-Copy List

-unavailable- added by yeupou

-unavailable- added by yeupou (Submitted the item)

Do you think this task is very important?
If so, you can click here to add your encouragement to it.
This task has 0 encouragements so far.

Only logged-in users can vote.

Please enter the title of George Orwell's famous dystopian book (it's a date):

Follow 3 latest changes.

Date	Changed By	Updated Field	Previous Value	Replaced By
Tue 07 Sep 2004 03:19:56 PM UTC	yeupou	Status	None	Fixed
		Open/Closed	Open	Closed
		Carbon-Copy	-	Added ype

Show feedback again