diff options
| author | myk%mozilla.org <> | 2002-11-09 10:23:06 +0100 |
|---|---|---|
| committer | myk%mozilla.org <> | 2002-11-09 10:23:06 +0100 |
| commit | 3619b6e9f63fd0c1352a3eeddb8339e1bc362e57 (patch) | |
| tree | c9faf4768eac610bb1547cbb626dcf6be5a24e59 /attachment.cgi | |
| parent | 486a739cc6c5b42f276820a2bfe5a0ce6f18448e (diff) | |
| download | bugzilla-3619b6e9f63fd0c1352a3eeddb8339e1bc362e57.tar.gz bugzilla-3619b6e9f63fd0c1352a3eeddb8339e1bc362e57.tar.xz | |
Fix for bug 178841: removes full paths from filenames in attachments table and prevents them from appearing again
r=gerv,bbaetz
a=justdave
Diffstat (limited to 'attachment.cgi')
| -rwxr-xr-x | attachment.cgi | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/attachment.cgi b/attachment.cgi index 971968b3e..33f8c8542 100755 --- a/attachment.cgi +++ b/attachment.cgi @@ -276,10 +276,24 @@ sub validateData return $data; } +my $filename; sub validateFilename { defined $cgi->upload('data') || ThrowUserError("file_not_specified"); + + $filename = $cgi->upload('data'); + + # Remove path info (if any) from the file name. The browser should do this + # for us, but some are buggy. This may not work on Mac file names and could + # mess up file names with slashes in them, but them's the breaks. We only + # use this as a hint to users downloading attachments anyway, so it's not + # a big deal if it munges incorrectly occasionally. + $filename =~ s/^.*[\/\\]//; + + # Truncate the filename to 100 characters, counting from the end of the string + # to make sure we keep the filename extension. + $filename = substr($filename, -100, 100); } sub validateObsolete @@ -442,7 +456,7 @@ sub insert # Insert a new attachment into the database. # Escape characters in strings that will be used in SQL statements. - my $filename = SqlQuote($cgi->param('data')); + $filename = SqlQuote($filename); my $description = SqlQuote($::FORM{'description'}); my $contenttype = SqlQuote($::FORM{'contenttype'}); my $thedata = SqlQuote($data); |