Menu
▾
▴
Re: [SM-DEVEL] attachment upload verification broken with firefox
|
From: Tomas K. <to...@us...> - 2005-08-22 07:30:46
|
> Paul Lesneiwski wrote:
> (...)
>>>According to the manual, the function returns true on a successful
>>> upload,
>>>not whether a temp file was created for that upload. So if the browser
>>>says it's uploading a 0 byte file, and php creates a 0 byte file, then
>>>everything is right, and veriftication is successful. Not sure as to
>>> why
>>>anybody would really want to upload a 0 byte file. I guess we could add
>>>an additional check and verify the size of the file is greater than 0
>>>bytes.
>>
>>
>> It might be rediculous, but I don't think we should 2nd guess the end
>> user. Let them upload zero byte files if they want. The code works
>> fine.
>
> Actually, it's not about letting user upload a 0kb file, it's about
> letting user think they uploaded a file when they didn't.
>
> If the user type in the path to the file he/she wants to upload and
> makes a typo in the path (and not in the filename), firefox won't warn
> the user, squirremail won't either. He/she will ends with a 0kb
> attachment with the right filename!
>
> Plus the real problem is more the change of behaviour between
> squirrelmail 1.2 and 1.4.
move_uploaded_file() is compatible with php safe mode. generic file system
commands (rename) are not. SquirrelMail SM-STABLE-1_4 uses both (1.
rename(), 2. move_uploaded_file()). SM-STABLE-1_2 uses only
move_uploaded_file().
src/compose.php saveAttachedFiles() function.
Can you reproduce your problem if you disable "if
(!@rename($_FILES['attachfile']['tmp_name'], $full_localfilename)) {" ?
--
Tomas
|