httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jiří Eichler <ejir...@seznam.cz>
Subject Re: [users@httpd] Wrong charset convert SOLVED
Date Wed, 01 Jul 2009 18:52:18 GMT
I didn't program MediaWiki, but on Wikipedia it seems to be working 
well. I just realize that we haven't solved that problem with charset, I 
have just changed charset sent by php ... you're right with "double 
encoding" to utf-8, Apache/php think that it is something else and 
encode it once more. But how can we tell php that it is in utf-8? I 
don't know. :-D    Can it be called bug when there is no way to detect 
charset of uploaded filename?

André Warnier wrote:
> Jiří Eichler wrote:
>> Man you are incredible. 
> I had to leave that part..
> ...
> (I removed the part about the idiot however..)
> ...
> I didn't think that it is problem with php, it ran on Linux well.
>
> It runs under Linux well, probably /only/ because the locale of the 
> process under which Apache + PHP is started, is a UTF-8 locale.
> So by default, PHP is considering the filename string as UTF-8, and 
> you do not see the problem.
> But if you want to make this really portable, you should also make 
> sure it always does it right under whatever OS and whatever locale.
>
> Unfortunately, it is not easy, because the browser does not actually 
> tell you in which character set it sends the filename.  So you have to 
> "believe" that this is /your/ <form>, and that the browser does it 
> correctly.
>
> I still think that it is a bad idea to save the file under the 
> original name given by the browser, for a number of reasons.
> Let me give you a couple more reasons :
>
> 1) It is easy for a hacker, to create his own "HTTP agent" (browser).
> He does not even have to create one, there are many programs available 
> that do that.
> This client could send you a file named
> "myfile.txt > /etc/passwd"
> or "file.txt ; rm -r /*"
> Then you, on the server, use that filename in another command, like
> system("cat" . $filename . " > myotherfile");
> Got the idea ?
>
> 2) I once designed an application like that, for normal users, not 
> hackers.  And they used it for a long time, without problems.
> Then one day, years later, I had to move all these thousands of 
> uploaded files to another system.  So, I used "tar" to create an 
> archive of these files, to move them to the other system.
> Unfortunately, tar was crashing about every 50 files, because it got a 
> filename that it could not handle, like
> "My grand-mother At the <Pizza Hut>. Near the place of John & Maria".png
> (that being a simple case)
> So it took me a lot of hours to move these files.
>
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server 
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message