httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: [users@httpd] Wrong charset convert SOLVED
Date Wed, 01 Jul 2009 18:31:48 GMT
Jiří Eichler wrote:
> Man you are incredible. 
I had to leave that part..
...
(I removed the part about the idiot however..)
...
I didn't think that it is problem with php, it ran on Linux well.

It runs under Linux well, probably /only/ because the locale of the 
process under which Apache + PHP is started, is a UTF-8 locale.
So by default, PHP is considering the filename string as UTF-8, and you 
do not see the problem.
But if you want to make this really portable, you should also make sure 
it always does it right under whatever OS and whatever locale.

Unfortunately, it is not easy, because the browser does not actually 
tell you in which character set it sends the filename.  So you have to 
"believe" that this is /your/ <form>, and that the browser does it 
correctly.

I still think that it is a bad idea to save the file under the original 
name given by the browser, for a number of reasons.
Let me give you a couple more reasons :

1) It is easy for a hacker, to create his own "HTTP agent" (browser).
He does not even have to create one, there are many programs available 
that do that.
This client could send you a file named
"myfile.txt > /etc/passwd"
or "file.txt ; rm -r /*"
Then you, on the server, use that filename in another command, like
system("cat" . $filename . " > myotherfile");
Got the idea ?

2) I once designed an application like that, for normal users, not 
hackers.  And they used it for a long time, without problems.
Then one day, years later, I had to move all these thousands of uploaded 
files to another system.  So, I used "tar" to create an archive of these 
files, to move them to the other system.
Unfortunately, tar was crashing about every 50 files, because it got a 
filename that it could not handle, like
"My grand-mother At the <Pizza Hut>. Near the place of John & Maria".png
(that being a simple case)
So it took me a lot of hours to move these files.





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message