Announcement

Collapse
No announcement yet.

Attachment Security when Attachments are Saved as Files?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • zaon
    replied
    Good to know!

    Thanks again, Kier!

    Leave a comment:


  • Kier
    replied
    The admin panel provides extensive attachment management systems.

    Leave a comment:


  • zaon
    replied
    Originally posted by Kier
    No, it will be saved as 406.attach
    Ouch... So, is the original .jpg file 'wrapped inside' this new "zip" file or is simply the filename changed and a record of '406.attach = MyNavyShip.jpg' then stored in the database?

    .

    Also, since an admin could no longer just open that attachments folder and use ACDSee or some other app to just page through viewing of all the pictures deciding which to 'prune' out, does the new vb3 control panel provide a means to actually view the pictures (not just the filenames) in order to decide which to delete quickly and which to leave?

    Leave a comment:


  • Kier
    replied
    No, it will be saved as 406.attach

    Leave a comment:


  • zaon
    replied
    Originally posted by Kier
    Attachments are saved using the attachmentid as the filename, so if the attachmentid is 1234, the file will be saved on the server as 1234.attach.

    The original filename is 'restored' when the file is downloaded through the vBulletin attachment system.
    So... If the file MyNavyShip.jpg is uploaded in a post as the 406th attachment in the forums, it will be saved on the server as:
    406.MyNavyShip.jpg ?? (thereby ensuring a unique filename)

    Leave a comment:


  • Kier
    replied
    Attachments are saved using the attachmentid as the filename, so if the attachmentid is 1234, the file will be saved on the server as 1234.attach.

    The original filename is 'restored' when the file is downloaded through the vBulletin attachment system.

    Leave a comment:


  • zaon
    replied
    Oops.. just thought of one more attachments question...

    In the matter of file management and organization, is it possible to have attachments saved with the user's name as a prefix in the filename? username_filename.jpg when all the user did was upload filename.jpg ?

    Also, what happens when a file by that name already exists? Especially for common filenames like 1.jpg, etc.?

    Leave a comment:


  • zaon
    replied
    Thank you so much, to both of you!

    Leave a comment:


  • Wayne Luke
    replied
    Yes, Attachment.php follows the security guidelines you set up in your usergroups.

    Leave a comment:


  • Scott MacVicar
    replied
    attachment.php is part of the vBulletin core and gets what forum and thread the attachment is in and checks the user permission. It then shows the attachment if they have permission.

    Leave a comment:


  • zaon
    replied
    Oh I see (I think)...

    So, placing the attachment folder below the web root means that it can't be displayed by http calls, BUT an attachment.php script could go get it and display it?

    Okay, assuming that, can someone manually type-in the attachment.php?display=filename.jpg or whatever the string is in order to see attachments that belong to a thread in a forum that user does not have permission to see? In other words, does the attachment.php displayer script obey forum security rules?

    Leave a comment:


  • Scott MacVicar
    replied
    nope the filename is just the attachmentid, you can place the attachment folder below the webroot though as all attachment.php does is open and reads the file rather than fetch it from the database.

    Leave a comment:


  • zaon
    started a topic Attachment Security when Attachments are Saved as Files?

    Attachment Security when Attachments are Saved as Files?

    Just had a quick question as to whether there will be any attachment security for attachments saved as files and NOT encoded in the database.

    Are attachments saved as files renamed using an 'encrypted renaming' scheme for the filename so that it will be near impossible to guess? My point is, if attachments from all forums go to one folder on the server, that folder can't be read-protected other than a basic htaccess to prevent leeching so what is to prevent someone from just typing filenames into the browser URL and pulling them up off the server directly?

    Does vb3 do nothing? Or does it 'encode' the filename to a unique and hard-to-guess name? Or does it go even farther by actually encrypting the attachment itself and then unencrypting it when displayed/downloaded in thread?

    Finally, will vb3 include abilities to not only attach multiple pictures to a post but also include text above and below certain pictures where designer's comments can explain what is going on in each picture?

    Thanks!!

Related Topics

Collapse

  • RoelVB
    Attachments dissapeared
    by RoelVB
    My attachments aren't loading anymore since I've migrated them to the filesystem instead of the database.

    The migrations process showed that all file were processed. The are a lot of folders...
    Mon 14 Apr '14, 7:48am
Working...
X