wile wrote:[ABD]Store phpBB3 attachments in subfolders
viewtopic.php?p=11929355#p11929355
- files are stored in folders based on attachment date
- DB contains info also about folder
- "copy topic" function does not work as DB is missing info about folder in attachment table for new items.
In some places UTF8 function was removed.. can this be issue in some cases ?
Code: Select all
#-----[ OPEN ]------------------------------------------
includes/functions_admin.php
#-----[ FIND ]------------------------------------------
WHERE physical_filename = '" . $db->sql_escape(utf8_basename($filename)) . "'";
#-----[ REPLACE IT WITH ]------------------------------------------
WHERE physical_filename = '" . $db->sql_escape($filename) . "'";
Otherwise I think it is quite nice solution. New folders should take approx. 50kB per year (12 folders).
Hello,
So far there seems to be only one issue found related to copying of topic.
Fix should be following :
root/includes/mcp/mcp_main.php
find :
Code: Select all
'physical_filename' => (string) utf8_basename($attach_row['physical_filename']),
replace with :
Code: Select all
'physical_filename' => (string) ($attach_row['physical_filename']),
My question is for some technical people who know a lot about phpBB
function
utf8_basename filter out "/" or "\\".
Code: Select all
function utf8_basename($filename)
{
// We always check for forward slash AND backward slash
// because they could be mixed or "sneaked" in. ;)
// You know, never trust user input...
if (strpos($filename, '/') !== false)
{
$filename = utf8_substr($filename, utf8_strrpos($filename, '/') + 1);
}
if (strpos($filename, '\\') !== false)
{
$filename = utf8_substr($filename, utf8_strrpos($filename, '\\') + 1);
}
return $filename;
}
Do you think this solution is usable ? Or should we avoid removing of this check for user input.. for some security reasons ?
This solution uses adding also subfolder info into the DB and it would not be possible otherwise.
e.g.
Code: Select all
201312/someattachment.jpg -- function utf8_basename would remove first part with info about subfolder...
I tried file names with //// or \\\\ but does not seem to be possible to upload them into system anyway.
So from my perspective there is no security issue in this solution.