Project

General

Profile

Actions

Defect #26681

closed

disk_filename of attachment when issue is created via mail

Added by Felix Muster over 7 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Invalid
Affected version:

Description

Hello,

when an issue with attachment is created via mail, the disk_filename of this attachment get created with an hash-function.

I think this is the code.
\xampp\Redmine\app\models\attachment.rb line 369:

    if filename =~ %r{^[a-zA-Z0-9_\.\-]*$}
      ascii = filename
    else
      ascii = Digest::MD5.hexdigest(filename)
      # keep the extension if any

How can I use the real filename? Like it's done with the other issues.

Thank you.


Files

example.png (15.3 KB) example.png Felix Muster, 2017-08-14 15:24
Actions #1

Updated by Holger Just over 7 years ago

As you can see in the code, we are using the original filename, as long as it follows some strict rules (i.e. only contains ascii characters, numbers, underscore, hyphen and dot). If any other character (including a space) is included in the filename, we are generating a hash from the filename and use it for storing the file on disk.

This is a security measure to ensure that the file storage is simple and does not cause nasty bugs even if some component fails to properly escape path names on access. If we would allow to include special chars (including spaces) there, some operations like shellouts working with the filename would be much more sensitive.

In any case, the disk_filename of an attachment is always Redmine-internal. It will not be exposed with any user-visible API and should not be relied on to be in a specific format. Also, since you can sometimes change the user-visible filename after upload, the disk_filename it might not even reflect the external filename.

Actions #2

Updated by Toshi MARUYAMA over 7 years ago

  • Description updated (diff)
Actions #3

Updated by Toshi MARUYAMA over 7 years ago

  • Status changed from New to Closed
  • Resolution set to Invalid
Actions

Also available in: Atom PDF