I didn't program MediaWiki, but on Wikipedia it seems to be working well. I just realize that we haven't solved that problem with charset, I have just changed charset sent by php ... you're right with "double encoding" to utf-8, Apache/php think that it is something else and encode it once more. But how can we tell php that it is in utf-8? I don't know. :-D Can it be called bug when there is no way to detect charset of uploaded filename?

André Warnier wrote:
Jiří Eichler wrote:
Man you are incredible.
I had to leave that part..
...
(I removed the part about the idiot however..)
...
I didn't think that it is problem with php, it ran on Linux well.

It runs under Linux well, probably /only/ because the locale of the process under which Apache + PHP is started, is a UTF-8 locale. So by default, PHP is considering the filename string as UTF-8, and you do not see the problem. But if you want to make this really portable, you should also make sure it always does it right under whatever OS and whatever locale.

Unfortunately, it is not easy, because the browser does not actually tell you in which character set it sends the filename. So you have to "believe" that this is /your/ <form>, and that the browser does it correctly.

I still think that it is a bad idea to save the file under the original name given by the browser, for a number of reasons.
Let me give you a couple more reasons :

1) It is easy for a hacker, to create his own "HTTP agent" (browser).
He does not even have to create one, there are many programs available that do that.
This client could send you a file named
"myfile.txt > /etc/passwd"
or "file.txt ; rm -r /*"
Then you, on the server, use that filename in another command, like
system("cat" . $filename . " > myotherfile");
Got the idea ?

2) I once designed an application like that, for normal users, not hackers. And they used it for a long time, without problems. Then one day, years later, I had to move all these thousands of uploaded files to another system. So, I used "tar" to create an archive of these files, to move them to the other system. Unfortunately, tar was crashing about every 50 files, because it got a filename that it could not handle, like
"My grand-mother At the <Pizza Hut>. Near the place of John & Maria".png
(that being a simple case)
So it took me a lot of hours to move these files.





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to