diff options
| author | myk%mozilla.org <> | 2002-11-09 10:23:06 +0100 |
|---|---|---|
| committer | myk%mozilla.org <> | 2002-11-09 10:23:06 +0100 |
| commit | 3619b6e9f63fd0c1352a3eeddb8339e1bc362e57 (patch) | |
| tree | c9faf4768eac610bb1547cbb626dcf6be5a24e59 /checksetup.pl | |
| parent | 486a739cc6c5b42f276820a2bfe5a0ce6f18448e (diff) | |
| download | bugzilla-3619b6e9f63fd0c1352a3eeddb8339e1bc362e57.tar.gz bugzilla-3619b6e9f63fd0c1352a3eeddb8339e1bc362e57.tar.xz | |
Fix for bug 178841: removes full paths from filenames in attachments table and prevents them from appearing again
r=gerv,bbaetz
a=justdave
Diffstat (limited to 'checksetup.pl')
| -rwxr-xr-x | checksetup.pl | 34 |
1 files changed, 33 insertions, 1 deletions
diff --git a/checksetup.pl b/checksetup.pl index aa91c3a34..cd02538b3 100755 --- a/checksetup.pl +++ b/checksetup.pl @@ -1353,7 +1353,7 @@ $table{attachments} = description mediumtext not null, mimetype mediumtext not null, ispatch tinyint, - filename mediumtext not null, + filename varchar(100) not null, thedata longblob not null, submitter_id mediumint not null, isobsolete tinyint not null default 0, @@ -3737,6 +3737,38 @@ if ($sth->rows == 0) { } +# 2002 November, myk@mozilla.org, bug 178841: +# +# Convert the "attachments.filename" column from a ridiculously large +# "mediumtext" to a much more sensible "varchar(100)". Also takes +# the opportunity to remove paths from existing filenames, since they +# shouldn't be there for security. Buggy browsers include them, +# and attachment.cgi now takes them out, but old ones need converting. +# +{ + my $ref = GetFieldDef("attachments", "filename"); + if ($ref->[1] ne 'varchar(100)') { + print "Removing paths from filenames in attachments table...\n"; + + $sth = $dbh->prepare("SELECT attach_id, filename FROM attachments " . + "WHERE INSTR(filename, '/') " . + "OR INSTR(filename, '\\\\')"); + $sth->execute; + + while (my ($attach_id, $filename) = $sth->fetchrow_array) { + $filename =~ s/^.*[\/\\]//; + my $quoted_filename = $dbh->quote($filename); + $dbh->do("UPDATE attachments SET filename = $quoted_filename " . + "WHERE attach_id = $attach_id"); + } + + print "Done.\n"; + + print "Resizing attachments.filename from mediumtext to varchar(100).\n"; + ChangeFieldType("attachments", "filename", "varchar(100) not null"); + } +} + # # Final checks... |