Defect #13760
closed
forward slashes in project name confuses attachment controller and gives 404 when downloading
0%
Description
If the project name contains a forward slash (/) no attachments can be downloaded as it confuses the attachments controller with a subdirectory within the files directory. I wonder why does the URL routing to the attachment download contain the project name and issue number, is it for security? /attachments/id is enough I believe, and the authorization module should take care of the rest.
your database manager version: Mysql 5.5.24-0ubuntu0.12.04.1
your Ruby version: ruby 1.8.7 (2011-06-30 patchlevel 352) [i686-linux]
your Rails version: 2.3.14
Error from Apache2 log:
HOST:IP- - [12/Apr/2013:21:30:34 +0000] "GET /attachments/2478/V%2Ff%20Controller%20-%20Test_332_Revision%20version-1.docx HTTP/1.1" 404 549 "http://HOST/issues/332" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_3) AppleWebKit/536.28.10 (KHTML, like Gecko) Version/6.0.3 Safari/536.28.10"
Updated by Ivan Cenov over 11 years ago
I cannot reproduce in Redmine 2.3.0:
Created project with name 'slash/inname'.
Created issue in it and attached a file ('about.php') to this issue
Then I was able to download and view this file in a text editor.
Updated by Toshi MARUYAMA over 11 years ago
- Status changed from New to Closed