This mail is an automated notification from the bugs tracker
of the project: Savane.
/**************************************************************************/
[bugs #676] Latest Modifications:
Changes by:
Mathieu Roy <[EMAIL PROTECTED]>
'Date:
mer 08.09.2004 � 09:19 (Europe/Paris)
What | Removed | Added
---------------------------------------------------------------------------
Assigned to | yeupou | ype
/**************************************************************************/
[bugs #676] Full Item Snapshot:
URL: <http://gna.org/bugs/?func=detailitem&item_id=676>
Project: Savane
Submitted by: Mathieu Roy
On: lun 06.09.2004 � 18:58
Category: None
Severity: 1 - Trivial
Priority: A - Later
Resolution: None
Privacy: Public
Assigned to: ype
Status: Open
Release: 1.0.1-CERN
Planned Release:
Summary: (CERN) Fix code related to email addresses in case of 'add cc'
Original Submission:
Fix code related to email addresses in case of 'add cc'
- include/trackers_run/index.php
Commentaires
------------------
-------------------------------------------------------
Date: mar 07.09.2004 � 17:40 By: Mathieu Roy <yeupou>
Yves, can you provide details about this item: what does it fix exactly?
-------------------------------------------------------
Date: mar 07.09.2004 � 17:15 By: Mathieu Roy <yeupou>
Sorry this comment was for bug #678
-------------------------------------------------------
Date: mar 07.09.2004 � 17:06 By: Mathieu Roy <yeupou>
About
http://savannah.cern.ch/bugs/?func=detailitem&item_id=4065
-> It is not a bug that the update is sent even if the attachment failed, since we do
not refuse the bug posting and the rest of the submitted data is well registered.
-> strlen() is maybe not very efficient for large files, but what else? BTW, on large
files, apache/PHP should drop the request by itself.
-> I believe it is on purpose that the filesize test is made after the addslashes().
Otherwise, why not using only filesize(). It is confusing for users, I'm willing to
admit it. But file upload is something very sensitive when it comes to webservers,
frequently used for exploit. We're forced to rush addslashes() when inserting data in
the database to avoid malicious exploits. But I guess someone could act maliciously if
we do filesize checks before the addslashes: someone could forge a file to triple the
size after the addslashes() call, so he could upload a file way way bigger than the
limit that would pass the check.
So in fact, we should probably explain the reason of the refusal more in details, but
not change the test.
CC List
-------
CC Address | Comment
------------------------------------+-----------------------------
ype |
For detailed info, follow this link:
<http://gna.org/bugs/?func=detailitem&item_id=676>
_______________________________________________
Message post� via/par Gna!
http://gna.org/
_______________________________________________
Savane-dev mailing list
[EMAIL PROTECTED]
https://mail.gna.org/listinfo/savane-dev
