Jiří Eichler wrote:
Man you are incredible.
I had to leave that part..
...
(I removed the part about the idiot however..)
...
I didn't think that it is problem with php, it ran on Linux well.
It runs under Linux well, probably /only/ because the locale of the
process under which Apache + PHP is started, is a UTF-8 locale.
So by default, PHP is considering the filename string as UTF-8, and you
do not see the problem.
But if you want to make this really portable, you should also make sure
it always does it right under whatever OS and whatever locale.
Unfortunately, it is not easy, because the browser does not actually
tell you in which character set it sends the filename. So you have to
"believe" that this is /your/ <form>, and that the browser does it
correctly.
I still think that it is a bad idea to save the file under the original
name given by the browser, for a number of reasons.
Let me give you a couple more reasons :
1) It is easy for a hacker, to create his own "HTTP agent" (browser).
He does not even have to create one, there are many programs available
that do that.
This client could send you a file named
"myfile.txt > /etc/passwd"
or "file.txt ; rm -r /*"
Then you, on the server, use that filename in another command, like
system("cat" . $filename . " > myotherfile");
Got the idea ?
2) I once designed an application like that, for normal users, not
hackers. And they used it for a long time, without problems.
Then one day, years later, I had to move all these thousands of uploaded
files to another system. So, I used "tar" to create an archive of these
files, to move them to the other system.
Unfortunately, tar was crashing about every 50 files, because it got a
filename that it could not handle, like
"My grand-mother At the <Pizza Hut>. Near the place of John & Maria".png
(that being a simple case)
So it took me a lot of hours to move these files.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org