[Chameleon-dev] [Bug 680] New: download.phtml scripting error

bugzilla-daemon at www.maptools.org bugzilla-daemon at www.maptools.org
Thu Sep 30 11:39:31 EDT 2004


http://www.maptools.org/bugzilla/show_bug.cgi?id=680

           Summary: download.phtml scripting error
           Product: Chameleon
           Version: 1.99
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: major
          Priority: P3
         Component: Widget
        AssignedTo: chameleon-dev at lists.maptools.org
        ReportedBy: ken at rockies.ca


Been having problems with the download.phtml file located in the widgets 
folder.

This is the problem area:

//make sure file_name is valid
if ( stristr($file_name, "http") !== false ){
    echo "file name $file_name is not valid";
    exit;
}else{
    $file_name = "http://".$_SERVER['HTTP_HOST']."/".$file_name;
}

file_name is supposed to contain: "full web file name to download" Does that 
mean the URL?

The if statement basically looks to see if http is included, and if it is, 
then exit with the error message. If it doesnt, then build a URL.

All the widgets are sending a full URL, so this is erroring every time. Its an 
easy fix on my end to work around that if statement, however a work around may 
not comply with the original intent of the statement. Is it supposed to be 
rejecting URL's? I assume it should be the reverse, reject non-URL's so that 
folks can't put in file paths? Further I think it would be benifitial to allow 
it to only work in the mapserver temp folder. So far thats where the widgets 
are all dropping the file, and there are no scripts or anything in that folder 
to worry about someone grabbing.

At any rate it needs some tweaking.

Ken



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.


More information about the Chameleon-dev mailing list