Menu
▾
▴
Re: [Wonder-disc] [projectwonder/wonder] 691368: File names need to be url encoded. Some examples o...
|
From: Henrique P. <hp...@gm...> - 2011-05-31 19:49:20
|
Hi Ramsey,
Fix committed.
Cheers,
Henrique
On 31/05/2011, at 12:31, Ramsey Gurley wrote:
> Cool deal (^_^) I'm not using S3 now, but I hope to in the future. If a fix waits on me to write it, it could be a while.
>
> Ramsey
>
> On May 30, 2011, at 7:40 PM, Henrique Prange wrote:
>
>> I'm using the S3 processor too.
>>
>> I've found the problem occurs because the filename is encoded before sending the attachment to the S3 bucket.
>>
>> The solution is to use the original (decoded) filename while uploading the attachment, and use the encoded URL to retrieve the file.
>>
>> I still have to exercise this solution a bit more before committing the fix. I'll try to do it tomorrow.
>>
>> Cheers,
>>
>> Henrique
>>
>> Sent from my iPhone
>>
>> On 30/05/2011, at 16:09, Ramsey Gurley <ram...@gm...> wrote:
>>
>>> Unfortunately, not yet. This has been on my todo list forever. I happened to be looking at it a couple of days ago and thought it would be a one line fix... then I noticed it wasn't! So, right now I've just filed a JIRA so I won't forget. If you don't use S3, you could probably fix it for yourself by adding that line back in the meantime.
>>>
>>> Ramsey
>>>
>>> On May 30, 2011, at 11:32 AM, Henrique Prange wrote:
>>>
>>>> Hi Ramsey,
>>>>
>>>> Any progress on how to solve the encoding problem? I've been using the filename in the webpath which is causing a lot of headaches. I've tried to use the primary key, but it also has some bugs related to mime types and file extensions with the S3 processor.
>>>>
>>>> Cheers,
>>>>
>>>> Henrique
>>>>
>>>> On 28/05/2011, at 19:54, Ramsey Gurley wrote:
>>>>
>>>>> Cases where the current code doesn't work in my testing:
>>>>>
>>>>> input file name at file upload==resultant url after clicking ERAttachmentLink in safari
>>>>>
>>>>> some & copy.jpg==some%20&%20copy.jpg
>>>>> some©.jpg==some©.jpg
>>>>>
>>>>> "><script>alert('xss')</script>==script>
>>>>>
>>>>> In the last case, I'm trying to be evil. Fortunately, the evil doesn't work, but the file name is still badly mangled as Mac OS turns that into
>>>>>
>>>>> "><script>alert('xss')<:script>
>>>>>
>>>>> Notice the / becomes :. My reverted patch will not fix that case, because everything before the : is gone before it even reaches the method I was mucking around in. Taking out the / with something like
>>>>>
>>>>> "><script>alert('xss')<hr>
>>>>>
>>>>> Doesn't work either. " becomes %22, so my primary concern is alleviated. Basically though, using ${fileName} in your webpath isn't really a good idea until there's a fix. I plan on filing a JIRA when I get done commenting on other issues (^_^)
>>>>>
>>>>> Ramsey
>>>>>
>>>>> On May 28, 2011, at 3:09 PM, Ray Kiddy wrote:
>>>>>
>>>>>>
>>>>>> Has this kind of thing caused problems in the past? I thought it had.
>>>>>>
>>>>>> Was the problem that helper methods did url encoding or did not, and different callers relied on the behavior?
>>>>>>
>>>>>> Just wondering if all the edge cases were checked here. If there are edge cases. Or edges.
>>>>>>
>>>>>> - ray
>>>>>>
>>>>>> On May 28, 2011, at 2:55 PM, no...@gi... wrote:
>>>>>>
>>>>>>> Branch: refs/heads/master
>>>>>>> Home: https://github.com/projectwonder/wonder
>>>>>>>
>>>>>>> Commit: 6913682052479ff26cdd95e698aad615197be5c8
>>>>>>> https://github.com/projectwonder/wonder/commit/6913682052479ff26cdd95e698aad615197be5c8
>>>>>>> Author: nullterminated <ram...@gm...>
>>>>>>> Date: 2011-05-28 (Sat, 28 May 2011)
>>>>>>>
>>>>>>> Changed paths:
>>>>>>> M Frameworks/BusinessLogic/ERAttachment/Sources/er/attachment/processors/ERAttachmentProcessor.java
>>>>>>>
>>>>>>> Log Message:
>>>>>>> -----------
>>>>>>> File names need to be url encoded. Some examples of file names that
>>>>>>> don't work... file names with spaces, file names with &, file names
>>>>>>> with © or something else that can be mistaken as an html entity by
>>>>>>> the browser.
>>>>>>>
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> vRanger cuts backup time in half-while increasing security.
>>>>>> With the market-leading solution for virtual backup and recovery,
>>>>>> you get blazing-fast, flexible, and affordable data protection.
>>>>>> Download your free trial now.
>>>>>> http://p.sf.net/sfu/quest-d2dcopy1
>>>>>> _______________________________________________
>>>>>> Wonder-disc mailing list
>>>>>> Won...@li...
>>>>>> https://lists.sourceforge.net/lists/listinfo/wonder-disc
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> vRanger cuts backup time in half-while increasing security.
>>>>> With the market-leading solution for virtual backup and recovery,
>>>>> you get blazing-fast, flexible, and affordable data protection.
>>>>> Download your free trial now.
>>>>> http://p.sf.net/sfu/quest-d2dcopy1_______________________________________________
>>>>> Wonder-disc mailing list
>>>>> Won...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/wonder-disc
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> vRanger cuts backup time in half-while increasing security.
>>>> With the market-leading solution for virtual backup and recovery,
>>>> you get blazing-fast, flexible, and affordable data protection.
>>>> Download your free trial now.
>>>> http://p.sf.net/sfu/quest-d2dcopy1
>>>> _______________________________________________
>>>> Wonder-disc mailing list
>>>> Won...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/wonder-disc
>>>
>>
>> ------------------------------------------------------------------------------
>> Simplify data backup and recovery for your virtual environment with vRanger.
>> Installation's a snap, and flexible recovery options mean your data is safe,
>> secure and there when you need it. Data protection magic?
>> Nope - It's vRanger. Get your free trial download today.
>> http://p.sf.net/sfu/quest-sfdev2dev
>> _______________________________________________
>> Wonder-disc mailing list
>> Won...@li...
>> https://lists.sourceforge.net/lists/listinfo/wonder-disc
>
|