Log from IRC discussion: [09:02:52] <nuclear_eclipse> texens: I assume you are the one who mailed mantisbt-help regarding attachments? [09:03:12] <texens> yes :) [09:03:31] <texens> I thought I should mail it rather than expalin at length on the IRC [09:03:34] <nuclear_eclipse> the short reply is that we do absolutely nothing [09:03:48] <texens> oops.. [09:04:13] <nuclear_eclipse> by default, we store files in the database, but can optionally store them on the filesystem as well [09:04:14] <texens> despite the fact that it allows one to upload even zip and .php, .js files [09:04:19] <texens> hmm.. [09:04:43] <nuclear_eclipse> in the case of putting them in the database, the only option would be to run a scan against the in-memory file before database insertion [09:05:45] <nuclear_eclipse> if storing on the filesystem, you could technically use a separate process to continually watch for new files in the attachments directory, and immediately scan them as they are added [09:06:36] <nuclear_eclipse> however, I'm honestly not sure of the security/malware implications or effectiveness of either approach [09:06:49] <texens> does Mantis have any hooks to call this *separate process* every time a new file is uploaded? [09:07:03] <nuclear_eclipse> not currently [09:08:11] <nuclear_eclipse> there have been requests to add plugin hooks around the attachment process, but I haven't yet found a reasonable way to support anything other than very specific usecases with those events, so I haven't implemented anything yet [09:08:12] <texens> hmm.. I guess it would be a good idea to implement it. what do you say? [09:11:41] <nuclear_eclipse> texens: we're always happy to accept and review code submissions :) [09:12:01] <texens> sure, I'd love to volunteer on this one [09:12:29] <nuclear_eclipse> texens: are you familiar with using Git? [09:13:10] <texens> I'm well versed with svn, and it shouldn't be hard to learn git. [09:13:24] <nuclear_eclipse> ok [09:14:03] <nuclear_eclipse> if you want, you can set up a public repo on git.mantisforge.org that you can push to for sharing your code with other developers [09:14:54] <nuclear_eclipse> if you need some documentation on using git, there's a small list of references in the online documentation at http://docs.mantisbt.org/master/en/developers/dev.appendix.html#DEV.APPENDIX.GIT [09:16:49] <texens> thanks :) [09:17:02] <nuclear_eclipse> regarding Mantis, you'll probably want to get familiar with how the event and plugin systems work; there's some documentation at http://docs.mantisbt.org/master/en/developers/ but the code is the best reference, found in mantisbt/core/event_api.php and mantisbt/core/plugin_api.php [09:19:08] <texens> does mantis currently save the uploaded files in some sort of vault? [09:19:36] <texens> vault = directory with strict permissions? [09:19:59] <nuclear_eclipse> that's configurable; by default they all get stored into a single table in the database, otherwise it's up to the Mantis admin to set up a directory and tell Mantis where to put everything [09:20:56] <nuclear_eclipse> naturally site admins should be creating a place for attachments outside of the webroot for security reasons, but Mantis won't complain about whatever their choice is [09:22:01] <texens> nuclear_eclipse: it might not be possible for someone with shared hosting, to keep it outside of the webroot [09:22:43] <nuclear_eclipse> correct, at which point they should be configuring some sort of .htaccess rules to prevent the files from being accessible through the webserver
-- John Reese LeetCode.net ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ mantisbt-help mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/mantisbt-help
