6.0.0-beta6
▾
Tasks
New Task
Search
Photos
Wiki
▾
Tickets
New Ticket
Search
dev.horde.org
Toggle Alerts Log
Help
4/10/26
H
istory
A
ttachments
C
omment
W
atch
Download
Comment on [#7646] Driver 'file' fails to open files with '..' anywhere in name
*
Your Email Address
*
Spam protection
Enter the letters below:
.__ . ..__ .__ .___. [__)| |[__)[ __ _/ [__)|/\|| \[_././__.
Comment
> This may already be fixed upstream in latest head, and if so, please > forgive. I am using 1.0.3 because it's what's in Ubuntu 8.04 LTS's > repository as of the latest apt-get update. > > > > When using the 'file' VFS driver on a Linux host using Horde 3.1.7, > IMP H3 4.1.4 and Gollem H3 1.0.3, users are unable to open (or attach > to IMP outgoing messages), any files that contain '..' anywhere in > the file name. Test case: > > > > Create a file in a VFS share with the filename 'test.pdf'. Opens correctly. > > Rename the file to 'test..pdf'. The file will silently fail to attach > to IMP messages, and will fail to view with the following error: > > > > ------------------------------------------------- > > > > Warning: file_get_contents(/vfsdir/horde//filepdf) > [function.file-get-contents]: failed to open stream: No such file or > directory in /usr/share/horde3/lib/VFS/file.php on line 82 > > > > Warning: Cannot modify header information - headers already sent by > (output started at /usr/share/horde3/lib/VFS/file.php:82) in > /usr/share/horde3/lib/Horde/Browser.php on line 978 > > > > Warning: Cannot modify header information - headers already sent by > (output started at /usr/share/horde3/lib/VFS/file.php:82) in > /usr/share/horde3/lib/Horde/Browser.php on line 984 > > > > Warning: Cannot modify header information - headers already sent by > (output started at /usr/share/horde3/lib/VFS/file.php:82) in > /usr/share/horde3/lib/Horde/Browser.php on line 1003 > > > > ----------------------------------------------- > > > > Solution: I opened up /usr/share/horde3/lib/VFS/file.php and found > the error inside of _getNativePath where '..' is replaced with ''. > The reason for this is obvious (security), but the method failed to > take into account situations like this where the user just > accidentally put two ..'s before an extension. I replaced the > str_replace call with an ereg_replace call to only do this at the > beginning of the filename. Works like a charm. I tried naming files > things like '../sneakyfile.pdf' and such, and gollem wasn't freaked > out by any tests I could do. > > > > Patch is attached to bug report in unified diff format.
Attachment
Watch this ticket
N
ew Ticket
M
y Tickets
S
earch
Q
uery Builder
R
eports
Saved Queries
Open Bugs
Bugs waiting for Feedback
Open Bugs in Releases
Open Enhancements
Enhancements waiting for Feedback
Bugs with Patches
Enhancements with Patches
Release Showstoppers
Stalled Tickets
New Tickets
Horde 5 Showstoppers