Defect #26681
closed
disk_filename of attachment when issue is created via mail
0%
Description
Hello,
when an issue with attachment is created via mail, the disk_filename of this attachment get created with an hash-function.
I think this is the code.
\xampp\Redmine\app\models\attachment.rb line 369:
if filename =~ %r{^[a-zA-Z0-9_\.\-]*$}
ascii = filename
else
ascii = Digest::MD5.hexdigest(filename)
# keep the extension if any
How can I use the real filename? Like it's done with the other issues.
Thank you.
Files
Updated by Holger Just over 6 years ago
As you can see in the code, we are using the original filename, as long as it follows some strict rules (i.e. only contains ascii characters, numbers, underscore, hyphen and dot). If any other character (including a space) is included in the filename, we are generating a hash from the filename and use it for storing the file on disk.
This is a security measure to ensure that the file storage is simple and does not cause nasty bugs even if some component fails to properly escape path names on access. If we would allow to include special chars (including spaces) there, some operations like shellouts working with the filename would be much more sensitive.
In any case, the disk_filename of an attachment is always Redmine-internal. It will not be exposed with any user-visible API and should not be relied on to be in a specific format. Also, since you can sometimes change the user-visible filename after upload, the disk_filename it might not even reflect the external filename.
Updated by Toshi MARUYAMA over 6 years ago
- Status changed from New to Closed
- Resolution set to Invalid