[Chameleon-dev] [Bug 680] New: download.phtml scripting error
bugzilla-daemon at www.maptools.org
bugzilla-daemon at www.maptools.org
Thu Sep 30 11:39:31 EDT 2004
http://www.maptools.org/bugzilla/show_bug.cgi?id=680
Summary: download.phtml scripting error
Product: Chameleon
Version: 1.99
Platform: PC
OS/Version: Windows XP
Status: NEW
Severity: major
Priority: P3
Component: Widget
AssignedTo: chameleon-dev at lists.maptools.org
ReportedBy: ken at rockies.ca
Been having problems with the download.phtml file located in the widgets
folder.
This is the problem area:
//make sure file_name is valid
if ( stristr($file_name, "http") !== false ){
echo "file name $file_name is not valid";
exit;
}else{
$file_name = "http://".$_SERVER['HTTP_HOST']."/".$file_name;
}
file_name is supposed to contain: "full web file name to download" Does that
mean the URL?
The if statement basically looks to see if http is included, and if it is,
then exit with the error message. If it doesnt, then build a URL.
All the widgets are sending a full URL, so this is erroring every time. Its an
easy fix on my end to work around that if statement, however a work around may
not comply with the original intent of the statement. Is it supposed to be
rejecting URL's? I assume it should be the reverse, reject non-URL's so that
folks can't put in file paths? Further I think it would be benifitial to allow
it to only work in the mapserver temp folder. So far thats where the widgets
are all dropping the file, and there are no scripts or anything in that folder
to worry about someone grabbing.
At any rate it needs some tweaking.
Ken
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the Chameleon-dev
mailing list