| Previous · Next | |
| User | Message |
|
colink
|
Date: 7/7/2007 2:03 pm · Subject: Magic invisible image files · Rating: 7
WebGUI's default name for automatically created thumbnails is 'thumb-'. WebGUI::Storage::Image filters out any files that begin with 'thumb-'. But it could be a valid file name uploaded by a user, so Assets that use WebGUI::Storage::Image->getFiles to list attachments will never show files like that. Assets that directly store the filename, like Image, are fine. If the automatic thumbfile name was changed to something else, like '_thumb-', then I think it would be safer. Patching it in the code would be dirt simple, but the upgrade script would be a more challenging. First, you'd make a list of all Image Assets. Then you'd have to walk the uploads directory, directory by directory, omitting the Image Asset storageId's and renaming the files. As far as I can tell, no one has reported anything like this as a bug yet. Is it worth pursuing this as a bug? |
| Back to Top |
Rate [ | ]
|
|
JT
|
Date: 7/7/2007 2:50 pm · Subject: Re: Magic invisible image files · Rating: 3
I agree that its a potential problem, but so small that it hasn't been reported in six years of it being that way. And its not that big of an ordeal for people to just rename their attachments in that case. If we do anything I think it should just be to change storage to ignore/delete file uploads that start with thumb- so that hackers can't exploit it.JT On Jul 7, 2007, at 2:03 PM, <ckuskie@sterlink.net> wrote: colink wrote:
|
| Back to Top |
Rate [ | ]
|
