HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Please upgrade here. These earlier versions are no longer being updated and have security issues.

Problems with users downloading files from forum post

epipenepipen New
edited March 2014 in Vanilla 2.0 - 2.8

Please view this screencast as an example

removed at user's request

when a user tries to download a file, the file name instead of say "test.docx" downloads with a file name such as "ajele2424jlklskdj4.docx" and for some users this file has showed up as incomprehensible streams of text characters as if it is encoded.

Any idea how to fix this? All users have access to download attached files.

Comments

  • hgtonighthgtonight ∞ · New Moderator

    On upload, the original filename is stored in the db. The file on disk is given a unique name to avoid collisions.

    The other issue can be sidestepped by right clicking on the file link and selecting save as. I am pretty sure this is caused by a browser (mis)configuration. Can you verify the file downloads correctly via the context menu (right click)?

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

  • when you right click and save as the file comes up as a .htm, This is all good and fine for me, but confusing for our users.

    The settings of IE are default and have been reset to default in the tools/advanced settings and what not. I would tend to rule out misconfiguration for that reason.

    No issue with doc,pdf,zip. For now I have zipped the file

    Is there any way to disable the "unique name" setting?

    when you use chrome, the download starts automatically with only the unique name issue.

  • R_JR_J Ex-Fanboy Munich Admin

    I think you would have to overwrite the cores class.upload.php :(

     190     public function GenerateTargetName($TargetFolder, $Extension = 'jpg', $Chunk = FALSE) {
     191        if (!$Extension) {
     192           $Extension = trim(pathinfo($this->_UploadedFile['name'], PATHINFO_EXTENSION), '.');
     193        }
     194  
     195        do {
     196           if ($Chunk) {
     197              $Name = RandomString(12);
     198              $Subdir = sprintf('%03d', mt_rand(0, 999)).'/';
     199           } else {
     200              $Name = RandomString(12);
     201              $Subdir = '';
     202           }
     203           $Path = "$TargetFolder/{$Subdir}$Name.$Extension";
     204        } while(file_exists($Path));
     205        return $Path;
     206     }
    

    Filename must be sanitized (length and characters) and afterwards you would have to check for duplicate filenames and add something like a counter to duplicates.
    That should work, but I wouldn't do that if I were you.


    epipen
  • Well, it seems to have saved the original file name in the DB, because when you mouse over an uploaded file it shows the original file name. Is there some way to have the file be offered with the original file name when a download is requested.

    (that is to say i understand the reason for having a unique file name stored in the database but am trying to work around it still).

  • hgtonighthgtonight ∞ · New Moderator

    I would look into modifying the file name before sending it back to the user. You would have to create a new function that the download link refers to. Something like /fileupload/download/{MEDIA_ID}. Then modify the headers and just read out the file.

    public function Controller_Download($Sender) {
      $MediaID = $Sender->RequestArgs[0];
      $Media = $this->MediaModel()->GetID($MediaID);
    
      if($Media) {
        ob_clean();
        header('Content-Disposition: attachment; filename="'.htmlspecialchars($Media->Name).'"');
        readfile(Url(MediaModel::Url($Media)));
        exit(0);
      }
      else {
        throw NotFoundException('Media');
      }
    }
    

    This is just a starting point and would require some testing. Let me know if it works at all.

    Search first

    Check out the Documentation! We are always looking for new content and pull requests.

    Click on insightful, awesome, and funny reactions to thank community volunteers for their valuable posts.

    epipenR_J
Sign In or Register to comment.