Defect #26681

disk_filename of attachment when issue is created via mail

Added by Felix Muster 4 months ago. Updated 4 months ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:-
Target version:-
Resolution:Invalid Affected version:

Description

Hello,

when an issue with attachment is created via mail, the disk_filename of this attachment get created with an hash-function.

I think this is the code.
\xampp\Redmine\app\models\attachment.rb line 369:

    if filename =~ %r{^[a-zA-Z0-9_\.\-]*$}
      ascii = filename
    else
      ascii = Digest::MD5.hexdigest(filename)
      # keep the extension if any

How can I use the real filename? Like it's done with the other issues.

Thank you.

example.png (15.3 KB) Felix Muster, 2017-08-14 15:24

History

#1 Updated by Holger Just 4 months ago

As you can see in the code, we are using the original filename, as long as it follows some strict rules (i.e. only contains ascii characters, numbers, underscore, hyphen and dot). If any other character (including a space) is included in the filename, we are generating a hash from the filename and use it for storing the file on disk.

This is a security measure to ensure that the file storage is simple and does not cause nasty bugs even if some component fails to properly escape path names on access. If we would allow to include special chars (including spaces) there, some operations like shellouts working with the filename would be much more sensitive.

In any case, the disk_filename of an attachment is always Redmine-internal. It will not be exposed with any user-visible API and should not be relied on to be in a specific format. Also, since you can sometimes change the user-visible filename after upload, the disk_filename it might not even reflect the external filename.

#2 Updated by Toshi MARUYAMA 4 months ago

  • Description updated (diff)

#3 Updated by Toshi MARUYAMA 4 months ago

  • Status changed from New to Closed
  • Resolution set to Invalid

Also available in: Atom PDF