Redmine renames my files, it shouldn't.
|Assignee:||Jean-Philippe Lang||% Done:|
Redmine renames files with spaces in their name. This shouldn't happen as violates the least surprise principle.
In practice, I have an app where original filenames are relevant (and most had spaces in them), and when using Redmine to work with them everybody has to go on a underscore replacing rampage, which is not nice.
So, please, do not rename my files.
#1 Updated by Nistor B. over 8 years ago
- File attachment.rb added
- Status changed from New to Resolved
- Assignee set to Jean-Philippe Lang
- % Done changed from 0 to 50
Here is a possible fix. There is a file name conversion in Attachement.sanitize_filename
The only problem I see is that on disk the file name will stored in HEX I think.
The file on disk had another name anyway but now it's unreadable.
On the interface it's fine now and the download it's fine.
Suggest another a better solution. I would like to provide a better fix if this is wrong.
#2 Updated by Vinko Vrsalovic over 8 years ago
I personally don't mind if files are stored as hex or similar in disk as long as there is a rake task to obtain the name from the hex code and viceversa.
I think that the common use case is to handle files through the web interface and the uncommon case is to handle them directly in the filesystem. So a helper for the uncommon case would be enough.
#3 Updated by Nistor B. over 8 years ago
From rails guide http://guides.rubyonrails.org/security.html there is a suggestion:
_# Finally, replace all non alphanumeric, underscore # or periods with underscore name.gsub! /[^\w\.\-]/, '_' This is what is generating this bug._
This is recommended as best practice but really it isn't.
I worked PHP for a while and the 2 best security books on PHP do not mention character replacement on upload.
Unfortunately this replacement is generating unwanted/unexpected user behavior in my opinion it's indeed a bug.
The better solution is to validate the file name.
We should decide what characters should be allowed in the file name( space, alfa-numerics, underscore etc. ) and validate the file name accordingly.
The validation message should specify which are the allowed characters.