This mail is an automated notification from the bugs tracker
of the project: Savane.
/**************************************************************************/
[bugs #676] Latest Modifications:
Changes by:
Mathieu Roy <[EMAIL PROTECTED]>
'Date:
mar 07.09.2004 à 17:06 (Europe/Paris)
------------------ Additional Follow-up Comments ----------------------------
About
http://savannah.cern.ch/bugs/?func=detailitem&item_id=4065
-> It is not a bug that the update is sent even if the attachment failed, since
we do not refuse the bug posting and the rest of the submitted data is well
registered.
-> strlen() is maybe not very efficient for large files, but what else? BTW, on
large files, apache/PHP should drop the request by itself.
-> I believe it is on purpose that the filesize test is made after the
addslashes(). Otherwise, why not using only filesize(). It is confusing for
users, I'm willing to admit it. But file upload is something very sensitive
when it comes to webservers, frequently used for exploit. We're forced to rush
addslashes() when inserting data in the database to avoid malicious exploits.
But I guess someone could act maliciously if we do filesize checks before the
addslashes: someone could forge a file to triple the size after the
addslashes() call, so he could upload a file way way bigger than the limit that
would pass the check.
So in fact, we should probably explain the reason of the refusal more in
details, but not change the test.
/**************************************************************************/
[bugs #676] Full Item Snapshot:
URL: <http://gna.org/bugs/?func=detailitem&item_id=676>
Project: Savane
Submitted by: Mathieu Roy
On: lun 06.09.2004 à 18:58
Category: None
Severity: 1 - Trivial
Priority: A - Later
Resolution: None
Privacy: Public
Assigned to: yeupou
Status: Open
Release: 1.0.1-CERN
Planned Release:
Summary: (CERN) Fix code related to email addresses in case of 'add cc'
Original Submission:
Fix code related to email addresses in case of 'add cc'
- include/trackers_run/index.php
Commentaires
------------------
-------------------------------------------------------
Date: mar 07.09.2004 à 17:06 By: Mathieu Roy <yeupou>
About
http://savannah.cern.ch/bugs/?func=detailitem&item_id=4065
-> It is not a bug that the update is sent even if the attachment failed, since
we do not refuse the bug posting and the rest of the submitted data is well
registered.
-> strlen() is maybe not very efficient for large files, but what else? BTW, on
large files, apache/PHP should drop the request by itself.
-> I believe it is on purpose that the filesize test is made after the
addslashes(). Otherwise, why not using only filesize(). It is confusing for
users, I'm willing to admit it. But file upload is something very sensitive
when it comes to webservers, frequently used for exploit. We're forced to rush
addslashes() when inserting data in the database to avoid malicious exploits.
But I guess someone could act maliciously if we do filesize checks before the
addslashes: someone could forge a file to triple the size after the
addslashes() call, so he could upload a file way way bigger than the limit that
would pass the check.
So in fact, we should probably explain the reason of the refusal more in
details, but not change the test.
CC List
-------
CC Address | Comment
------------------------------------+-----------------------------
ype |
For detailed info, follow this link:
<http://gna.org/bugs/?func=detailitem&item_id=676>
_______________________________________________
Message posté via/par Gna!
http://gna.org/
