So here are the diffs... >Hi,
>I programmed an add-on for the FAQ-Section. In our System it is now
>possible to add Attachments to FAQ-articles.
>The attachments are stored in ~/var/httpd/htdocs/otrs_faq (configurable
>in Config.pm $Self->{FAQDirectory}). For each FAQ-article there is a
>subdirectory which name is the ID of the FAQ-article.
>When you view an article, Perl checks if there are any files in the
>corresponding directory and creates links to these files. You can then
>directly download the files from Apache (no "passthrough" with perl).
>I know this may be a security problem, because OTRS has no access
>control over these files (everyone who can guess the filename and path
>can download the file).
Files/Directories affected from my changes (changed or added):
./Kernel/Config.pm (2 new Config-Settings)
# Path in the filesystem where Attachments are stored
$Self->{FAQDirectory} = '/opt/otrs/var/httpd/htdocs/otrs_faq/';
# "Path in the Browser"
$Self->{FAQWebPath} = '/otrs-web/otrs_faq/';
./Kernel/Modules/FAQArticle.pm (added Upload-Functionality)
./Kernel/Output/HTML/xyz/FAQArticleForm.dtl (Upload-Input-field, Upload
delete)
./Kernel/Output/HTML/xyz/FAQArticleView.dtl (Upload-Links)
./Kernel/System/FAQ.pm
./Kernel/System/FAQ/ArticleStorageFS.pm (new module,Write Upload to FS)
./var/httpd/htdocs/otrs_faq/ (directory where attachments are saved)
I attached the diffs to this email. Diffs where made against OTRS 1.3
beta 1 with diff orig_file modified_file > file.diff
I hope you people can cope with that :-)
Volker
diff.tgz
Description: application/compressed-tar
_______________________________________________ OTRS mailing list: dev - Webpage: http://otrs.org/ Archive: http://lists.otrs.org/pipermail/dev To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/dev
