This mail is an automated notification from the bugs tracker
of the project: Savane.
/**************************************************************************/
[bugs #678] Latest Modifications:
Changes by:
Mathieu Roy <[EMAIL PROTECTED]>
'Date:
mar 07.09.2004 ŕ 17:16 (Europe/Paris)
------------------ Additional Follow-up Comments ----------------------------
About
http://savannah.cern.ch/bugs/?func=detailitem&item_id=4065
-> It is not a bug that the update is sent even if the attachment failed, since we do
not refuse the bug posting and the rest of the submitted data is well registered.
-> strlen() is maybe not very efficient for large files, but what else? BTW, on large
files, apache/PHP should drop the request by itself.
-> I believe it is on purpose that the filesize test is made after the addslashes().
Otherwise, why not using only filesize(). It is confusing for users, I'm willing to
admit it. But file upload is something very sensitive when it comes to webservers,
frequently used for exploit. We're forced to rush addslashes() when inserting data in
the database to avoid malicious exploits. But I guess someone could act maliciously if
we do filesize checks before the addslashes: someone could forge a file to triple the
size after the addslashes() call, so he could upload a file way way bigger than the
limit that would pass the check.
So in fact, we should probably explain the reason of the refusal more in details, but
not change the test.
/**************************************************************************/
[bugs #678] Full Item Snapshot:
URL: <http://gna.org/bugs/?func=detailitem&item_id=678>
Project: Savane
Submitted by: Mathieu Roy
On: lun 06.09.2004 ŕ 19:00
Category: None
Severity: 1 - Trivial
Priority: A - Later
Resolution: None
Privacy: Public
Assigned to: yeupou
Status: Open
Release: 1.0.1-CERN
Planned Release:
Summary: (CERN) Fix code related to size checking of attached files
Original Submission:
Fix code related to size checking of attached files
- include/trackers/general.php
Commentaires
------------------
-------------------------------------------------------
Date: mar 07.09.2004 ŕ 17:16 By: Mathieu Roy <yeupou>
About
http://savannah.cern.ch/bugs/?func=detailitem&item_id=4065
-> It is not a bug that the update is sent even if the attachment failed, since we do
not refuse the bug posting and the rest of the submitted data is well registered.
-> strlen() is maybe not very efficient for large files, but what else? BTW, on large
files, apache/PHP should drop the request by itself.
-> I believe it is on purpose that the filesize test is made after the addslashes().
Otherwise, why not using only filesize(). It is confusing for users, I'm willing to
admit it. But file upload is something very sensitive when it comes to webservers,
frequently used for exploit. We're forced to rush addslashes() when inserting data in
the database to avoid malicious exploits. But I guess someone could act maliciously if
we do filesize checks before the addslashes: someone could forge a file to triple the
size after the addslashes() call, so he could upload a file way way bigger than the
limit that would pass the check.
So in fact, we should probably explain the reason of the refusal more in details, but
not change the test.
For detailed info, follow this link:
<http://gna.org/bugs/?func=detailitem&item_id=678>
_______________________________________________
Message posté via/par Gna!
http://gna.org/
_______________________________________________
Savane-dev mailing list
[EMAIL PROTECTED]
https://mail.gna.org/listinfo/savane-dev
