Closed (cannot reproduce)
Project:
FileField Sources
Version:
7.x-1.2-beta1
Component:
Source: Remote URL
Priority:
Normal
Category:
Support request
Assigned:
Unassigned
Reporter:
Created:
24 Apr 2011 at 11:18 UTC
Updated:
27 Mar 2012 at 10:14 UTC
Comments
Comment #1
manveru commentedIn my case the file name of file transferred from remote URL has been changed from
tomato-K26-1.28.9055MIPSR1-git-13042011-MiniIPv6.trxtotomato-k26-1.28.9055mipsr1-git-13042011-miniipv6.trx_.gzwhich is unacceptable. It was explained that it was for security purpose (I do not understand how underscore character may increase security), but I need at least an option to disable such renaming. Is it possible that it has been related to Transliterate module?Comment #2
quicksketchAny unknown extensions are modified by adding an underscore to them to disable the possibility that Apache will know how to handle them. If Apache doesn't know how to handle the last extension, it starts working down the list of remaining extensions and tries to execute that extension. So for example if you had named the file "example.php.psd", when you visited the URL of the file Apache would not know how to handle the psd extension (at least it doesn't by default), so it would then continue to execute the .php extension (as PHP code). Thus making it so people could transfer and potentially execute PHP code on your server. Renaming all second extensions with an underscore makes it so these files are harmless, as Apache won't know how to execute "php_" files. The number of extensions that could cause this trouble are numurous (asp, aspx, php, cfm, shtml, cgi, sh, perl, etc.) So Drupal takes the safest route and escapes all files with multiple unknown extensions.
So as to how to fix this: You can either add "trx.gz" to your list of extensions, or to make it more flexible you can just add both "trx" and "gz" to your list of extensions and neither of them will be escaped. This is the highly recommended approach (a long "whitelist" of acceptable extensions). This will apply to all sources as well as uploading files directly.
The second alternative is setting the "allow_insecure_uploads" option, which affects the entire Drupal site. This essentially disables all file name munging. You can do this by putting this in your settings.php file:
@rodrigoaguilera: I'll look into your issue shortly. Normally the temp and final destination are different (I thought), but I'll have to check.
Comment #3
quicksketch@rodrigoaguilera: I cannot reproduce your issue. When setting up a new file field, I've set the upload destination to a new directory. When transferring files remotely the file is given the right file name (with no _0 suffix) after transferring. Note that if I transfer the same file twice, it *does* get the _0 suffix, because of course there's already a file with the same name in the destination directory. My guess is that you already had the file uploaded into that directory once when you transferred it.
If this isn't the case and you think this problem occurs for all uploaded files, could you describe exactly how to reproduce the issue step-by-step?
Comment #4
rodrigoaguileraOk, maybe i was testing it wrong. yesterday two rows were created in the files_managed table, one permanent and the other temporary (deleted after some time). now i don't have this problem, just documenting in case that happens again.
Thanks
Comment #5
Masala commentedConfirm this behaviour.
Adding in settings.php file:
$conf['allow_insecure_uploads'] = 1;
but same problem here .