Edgewall Software

Opened 14 years ago

Closed 13 years ago

Last modified 13 years ago

#9280 closed defect (fixed)

IAttachmentManipulators cannot validate the attachment's filename field

Reported by: Carsten Klein <carsten.klein@…> Owned by: Emmanuel Blot
Priority: normal Milestone: 0.12.3
Component: attachment Version: 0.12dev
Severity: normal Keywords:
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:


In attachment.py#AttachmentModule#_do_save setting attachment.filename is outcommented.

Therefore, ticket manipulators cannot validate the filename easily, unless they reimplement part of the _do_save method.

In this patch

  • attachment.py

    256256        if not os.access(self.path, os.F_OK):
    257257            os.makedirs(self.path)
     258        # must reset self.filename prior insert
     259        self.filename = None
    258260        filename = unicode_quote(filename)
    259261        path, targetfile = create_unique_file(os.path.join(self.path,
    260262                                                           filename))
    631633        if not filename:
    632634            raise TracError(_('No file uploaded'))
    633635        # Now the filename is known, update the attachment resource
    634         # attachment.filename = filename
     636        # must be set so that validators can validate the filename
     637        attachment.filename = filename
    635638        attachment.description = req.args.get('description', '')
    636639        attachment.author = get_reporter_id(req, 'author')
    637640        attachment.ipnr = req.remote_addr

the filename will be set, and, since it causes problems with Attachment#insert when doing so prior to the attachment being inserted, in the insert method the filename will be reset to None.

Attachments (0)

Change History (5)

comment:1 by Remy Blank, 14 years ago

Milestone: 0.12next-minor-0.12.x

Not a regression, not critical → not for 0.12.

comment:2 by Emmanuel Blot, 13 years ago

Owner: set to Emmanuel Blot

comment:3 by Emmanuel Blot, 13 years ago

Milestone: next-minor-0.12.x0.12.3
Resolution: fixed
Status: newclosed

Fixed in [10695]

in reply to:  3 ; comment:4 by Emmanuel Blot, 13 years ago

Replying to eblot:

Fixed in [10695]

Proper commit message should have been:

0.12.3dev: fixed attachment filename issue (#9280)

editing svn:log is not allowed.

in reply to:  4 comment:5 by Christian Boos, 13 years ago

Replying to eblot:

editing svn:log is not allowed.

Well, yes, since we have git & mercurial mirrors, we disabled that in order to not have different commit logs between the systems.

Modify Ticket

Change Properties
Set your email in Preferences
as closed The owner will remain Emmanuel Blot.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Emmanuel Blot to the specified user.

Add Comment

E-mail address and name can be saved in the Preferences .
Note: See TracTickets for help on using tickets.