SMF Development > Bug Reports

[2.0] encrypted attachment file names and FTP

<< < (7/8) > >>

Rommeo:
emanuele,
please read this topic also
http://www.simplemachines.org/community/index.php?topic=476904.msg3336561#msg3336561

I was backing up 'nothing' actually for months!

The webmaster forums in my language also declares this as a bug.
And you have no warning at all.

Arantor:
Well, the name is mangled including a random element, however I'd still not include the original extension in its name in case there is a problem with the filename's generation, e.g. a new vulnerability in SHA1 is discovered reducing its distribution.

MrPhil:
Fine. But at least tell any FTP client (especially Filezilla) to download in binary (.doc) or even better, the correct mode (.doc or .txt). Let's stop screwing our loyal customers by knowingly producing bad backups (as many will use Filezilla).

Arantor:
Well, earlier versions of FileZilla even treated .doc as text as do certain other old clients.

Why not just use a generic extension that will always produce binary in all of the currently available FTP clients? If I upload something as a text file, I do not want it modified as part of a backup, because that's what we're really talking about here.

If I upload a file in Unix mode, I want it BACK like that. It's actually the same logic that led to SMF trying to serve text files with inline conversion, a practice deprecated in later 2.0 RCs.

In any case, I just set it to always stick .ext on the end. That way every client I've tested with always uses binary for everything.

emanuele:

--- Quote from: MrPhil on May 17, 2012, 11:32:36 AM ---I would be as worried about the attachment ID prepended to the front of the mangled name as I would a correct extension. As long as neither provides any clue as to how the name can be unmangled (or, how the known name being sought was mangled in the first place), it's probably safe.

--- End quote ---
You know very well that at the moment SMF comes with the default attachment directory containing both an index.php and an .htaccess to avoid execute php files.
And I assume you know very well that at the moment (should be fixed in 2.1, but you never know how things go with servers) these files are not present in directories created by the users.

* emanuele wonders:what would happen if you put a file with extension php in a directory that is allowed to execute php files and you reach it from the browser or other means?
what would happen if you put a file without extension in a directory that is allowed to execute php files and you reach it from the browser or other means?


--- Quote from: MrPhil on May 17, 2012, 11:47:43 AM ---
--- Quote ---On a general level (and again not at SMF development level): instead of being here complaining with SMF about this "bug" you should go to fileZilla and complain about *their* bug first.

--- End quote ---
According to the links that you provided, people (including phpBB developers) have been complaining to the FZ folks for years about this problem, and have been stonewalled the entire time. It ain't gonna happen. SMF needs to make its system invulnerable to damage from FZ's bad design, and not try to persuade them to fix things.

--- End quote ---
I know what I provided and I know why I wrote that sentence: if 1 developer doesn't make much difference, maybe few hundreds final users could make FileZilla developers change their mind. ;)

Navigation

[0] Message Index

[#] Next page

[*] Previous page