This mail is an automated notification from the bugs tracker
of the project: Savane.
/**************************************************************************/
[bugs #676] Latest Modifications:
Changes by:
Yves Perrin <[EMAIL PROTECTED]>
'Date:
Wed 09/08/2004 at 08:49 (GMT)
What | Removed | Added
---------------------------------------------------------------------------
Resolution | None | Fixed
Status | Open | Closed
------------------ Additional Follow-up Comments ----------------------------
fixed
/**************************************************************************/
[bugs #676] Full Item Snapshot:
URL: <http://gna.org/bugs/?func=detailitem&item_id=676>
Project: Savane
Submitted by: Mathieu Roy
On: Mon 09/06/2004 at 16:58
Category: None
Severity: 1 - Trivial
Priority: A - Later
Resolution: Fixed
Privacy: Public
Assigned to: ype
Status: Closed
Release: 1.0.1-CERN
Planned Release:
Summary: (CERN) Fix code related to email addresses in case of 'add cc'
Original Submission:
Fix code related to email addresses in case of 'add cc'
- include/trackers_run/index.php
Follow-up Comments
------------------
-------------------------------------------------------
Date: Wed 09/08/2004 at 08:49 By: Yves Perrin <ype>
fixed
-------------------------------------------------------
Date: Tue 09/07/2004 at 15:40 By: Mathieu Roy <yeupou>
Yves, can you provide details about this item: what does it fix exactly?
-------------------------------------------------------
Date: Tue 09/07/2004 at 15:15 By: Mathieu Roy <yeupou>
Sorry this comment was for bug #678
-------------------------------------------------------
Date: Tue 09/07/2004 at 15:06 By: Mathieu Roy <yeupou>
About
http://savannah.cern.ch/bugs/?func=detailitem&item_id=4065
-> It is not a bug that the update is sent even if the attachment failed, since we do
not refuse the bug posting and the rest of the submitted data is well registered.
-> strlen() is maybe not very efficient for large files, but what else? BTW, on large
files, apache/PHP should drop the request by itself.
-> I believe it is on purpose that the filesize test is made after the addslashes().
Otherwise, why not using only filesize(). It is confusing for users, I'm willing to
admit it. But file upload is something very sensitive when it comes to webservers,
frequently used for exploit. We're forced to rush addslashes() when inserting data in
the database to avoid malicious exploits. But I guess someone could act maliciously if
we do filesize checks before the addslashes: someone could forge a file to triple the
size after the addslashes() call, so he could upload a file way way bigger than the
limit that would pass the check.
So in fact, we should probably explain the reason of the refusal more in details, but
not change the test.
CC List
-------
CC Address | Comment
------------------------------------+-----------------------------
ype |
For detailed info, follow this link:
<http://gna.org/bugs/?func=detailitem&item_id=676>
_______________________________________________
Message sent via/by Gna!
http://gna.org/
_______________________________________________
Savane-dev mailing list
[EMAIL PROTECTED]
https://mail.gna.org/listinfo/savane-dev
