Customizing SMF > Mod Requests

downloads attachment mod needed

(1/1)

dvk01:
I need a mod or some way to keep the name of the attachment in the attachment folder (and the database obviously)
SMF renames attachments to what looks like a hash code

I have a forum where lots of atachments are uploaded & I need them to be backed up, but I don't have time to download each one individually, but I can download each days via FTP. However without the real name I can't match it up to a post or user  etc
An alternative and a much beter way  would be under the browse files options  under attachments & avatars in admin panel would be a select box to download any selected file or files

Arantor:
I don't see that happening any time soon. It was done the way it was done for security reasons, because a hacker discovered that if the file name was known, it could be exploited (and was done for a very large number of forums)

All you actually need to do to back them up is to select all of them, tell a decent FTP client to copy them, and then tell it to ignore any duplicates.

Note: do not use FileZilla in its default configuration, it damages the backups (you have to tell it to use binary mode instead of 'auto' for files without an extension), personally I use WinSCP and backing up attachments is easy then.

dvk01:
it is not so much backup but I run a forum in co-operation with the majority of antivirus vendors and many new & undiscovered malware samples get submitted though there

It is important to keep the original file name for tracking purposes ( i have added a tweak so the user name & date & time file is uploaded is part of the file name) 

We needed a way to do a weekly or monthly bulk of all the files for those who miss individual ones
I have now found a way  using downloadthemall addon in Firefox,

I honestly can't see how a known file name in attachments folder can be a security risk, unless the attachments are available to anyone instead of just members with the correct permissions to view or download them 

Arantor:
The original name is kept in the database and served to users. It's only hashed internally.

If the filename is known to users, they can just browse there directly. E.g. yourforum.com/attachments/myfile123.whatever

There are limited protections against this, but they won't work on all configurations by any means (it won't work on anything except Apache or Litespeed for example)

Now imagine that said attachment is a nasty PHP file that inserts its own code into anything it can find on the server. If you don't believe me, do a search on 'krisbarteo', the automated hack attack for 1.1.8 / 2.0 RC1 that broke into a very very large number of forums and was only able to do so because it was able to save itself with a known filename and then proceed to *call* that filename as a web page.

Navigation

[0] Message Index