Illegal filename characters?

  • Shawn C. Monk

    Shawn C. Monk - 2007-02-28

    It appears that there are some problems serving files or directories that have apostrophies in them.  I haven't run across other illegal characters (yet).  I'm still a novice when it comes to PHP, but it seems like there should be a way to parse filenames for those characters before serving them. Any suggestions on where I should look?

    It doesn't look like this board is too active, so I won't hold my breath waiting for a response....  :)

    Thanks for the great tool!

    • Brandon Nimon

      Brandon Nimon - 2007-02-28

      I've run into this, and I know when I was programming I tried to allows apostrophes. At what point does it not work? Just the force download part right?
      Everything else works fine (I think :-P).

      The problem is this (and you can fix it yourself pretty easily (even easier if you know PHP). I'm not sure what version of File Manage you have, but around line 915 is "if(isset($_GET['forcedownloadfile']) && allowed($_GET['forcedownloadfile']) && $current_user['read']){"

      remove " && allowed($_GET['forcedownloadfile'])" from that line.

      nine lines later (on the blank line after "$filename = $_GET['forcedownloadfile'];")

      add this: "if(!allowed($filename)) exit;"

      Note: if you don't add that line, every file on your server will be easily downloadable by people who have access to File Manage on your server.

      I have this fixed on my end, but I probably won't release another version of File Manage for a while...

    • Shawn C. Monk

      Shawn C. Monk - 2007-03-01

      Awesome!  I'm using the mySQL version - 1.0 I think.  I just got it up and running on Monday (it was really just an effort in procrastination).

      Thanks for the pointer!  I spent some time going through the file making smaller tweaks, but haven't had the time to actually figure out where in the code the problem was popping up. 


Log in to post a comment.