From: Henrique P. <hp...@gm...> - 2011-05-31 19:49:20
|
Hi Ramsey, Fix committed. Cheers, Henrique On 31/05/2011, at 12:31, Ramsey Gurley wrote: > Cool deal (^_^) I'm not using S3 now, but I hope to in the future. If a fix waits on me to write it, it could be a while. > > Ramsey > > On May 30, 2011, at 7:40 PM, Henrique Prange wrote: > >> I'm using the S3 processor too. >> >> I've found the problem occurs because the filename is encoded before sending the attachment to the S3 bucket. >> >> The solution is to use the original (decoded) filename while uploading the attachment, and use the encoded URL to retrieve the file. >> >> I still have to exercise this solution a bit more before committing the fix. I'll try to do it tomorrow. >> >> Cheers, >> >> Henrique >> >> Sent from my iPhone >> >> On 30/05/2011, at 16:09, Ramsey Gurley <ram...@gm...> wrote: >> >>> Unfortunately, not yet. This has been on my todo list forever. I happened to be looking at it a couple of days ago and thought it would be a one line fix... then I noticed it wasn't! So, right now I've just filed a JIRA so I won't forget. If you don't use S3, you could probably fix it for yourself by adding that line back in the meantime. >>> >>> Ramsey >>> >>> On May 30, 2011, at 11:32 AM, Henrique Prange wrote: >>> >>>> Hi Ramsey, >>>> >>>> Any progress on how to solve the encoding problem? I've been using the filename in the webpath which is causing a lot of headaches. I've tried to use the primary key, but it also has some bugs related to mime types and file extensions with the S3 processor. >>>> >>>> Cheers, >>>> >>>> Henrique >>>> >>>> On 28/05/2011, at 19:54, Ramsey Gurley wrote: >>>> >>>>> Cases where the current code doesn't work in my testing: >>>>> >>>>> input file name at file upload==resultant url after clicking ERAttachmentLink in safari >>>>> >>>>> some & copy.jpg==some%20&%20copy.jpg >>>>> some©.jpg==some©.jpg >>>>> >>>>> "><script>alert('xss')</script>==script> >>>>> >>>>> In the last case, I'm trying to be evil. Fortunately, the evil doesn't work, but the file name is still badly mangled as Mac OS turns that into >>>>> >>>>> "><script>alert('xss')<:script> >>>>> >>>>> Notice the / becomes :. My reverted patch will not fix that case, because everything before the : is gone before it even reaches the method I was mucking around in. Taking out the / with something like >>>>> >>>>> "><script>alert('xss')<hr> >>>>> >>>>> Doesn't work either. " becomes %22, so my primary concern is alleviated. Basically though, using ${fileName} in your webpath isn't really a good idea until there's a fix. I plan on filing a JIRA when I get done commenting on other issues (^_^) >>>>> >>>>> Ramsey >>>>> >>>>> On May 28, 2011, at 3:09 PM, Ray Kiddy wrote: >>>>> >>>>>> >>>>>> Has this kind of thing caused problems in the past? I thought it had. >>>>>> >>>>>> Was the problem that helper methods did url encoding or did not, and different callers relied on the behavior? >>>>>> >>>>>> Just wondering if all the edge cases were checked here. If there are edge cases. Or edges. >>>>>> >>>>>> - ray >>>>>> >>>>>> On May 28, 2011, at 2:55 PM, no...@gi... wrote: >>>>>> >>>>>>> Branch: refs/heads/master >>>>>>> Home: https://github.com/projectwonder/wonder >>>>>>> >>>>>>> Commit: 6913682052479ff26cdd95e698aad615197be5c8 >>>>>>> https://github.com/projectwonder/wonder/commit/6913682052479ff26cdd95e698aad615197be5c8 >>>>>>> Author: nullterminated <ram...@gm...> >>>>>>> Date: 2011-05-28 (Sat, 28 May 2011) >>>>>>> >>>>>>> Changed paths: >>>>>>> M Frameworks/BusinessLogic/ERAttachment/Sources/er/attachment/processors/ERAttachmentProcessor.java >>>>>>> >>>>>>> Log Message: >>>>>>> ----------- >>>>>>> File names need to be url encoded. Some examples of file names that >>>>>>> don't work... file names with spaces, file names with &, file names >>>>>>> with © or something else that can be mistaken as an html entity by >>>>>>> the browser. >>>>>>> >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> vRanger cuts backup time in half-while increasing security. >>>>>> With the market-leading solution for virtual backup and recovery, >>>>>> you get blazing-fast, flexible, and affordable data protection. >>>>>> Download your free trial now. >>>>>> http://p.sf.net/sfu/quest-d2dcopy1 >>>>>> _______________________________________________ >>>>>> Wonder-disc mailing list >>>>>> Won...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/wonder-disc >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> vRanger cuts backup time in half-while increasing security. >>>>> With the market-leading solution for virtual backup and recovery, >>>>> you get blazing-fast, flexible, and affordable data protection. >>>>> Download your free trial now. >>>>> http://p.sf.net/sfu/quest-d2dcopy1_______________________________________________ >>>>> Wonder-disc mailing list >>>>> Won...@li... >>>>> https://lists.sourceforge.net/lists/listinfo/wonder-disc >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> vRanger cuts backup time in half-while increasing security. >>>> With the market-leading solution for virtual backup and recovery, >>>> you get blazing-fast, flexible, and affordable data protection. >>>> Download your free trial now. >>>> http://p.sf.net/sfu/quest-d2dcopy1 >>>> _______________________________________________ >>>> Wonder-disc mailing list >>>> Won...@li... >>>> https://lists.sourceforge.net/lists/listinfo/wonder-disc >>> >> >> ------------------------------------------------------------------------------ >> Simplify data backup and recovery for your virtual environment with vRanger. >> Installation's a snap, and flexible recovery options mean your data is safe, >> secure and there when you need it. Data protection magic? >> Nope - It's vRanger. Get your free trial download today. >> http://p.sf.net/sfu/quest-sfdev2dev >> _______________________________________________ >> Wonder-disc mailing list >> Won...@li... >> https://lists.sourceforge.net/lists/listinfo/wonder-disc > |