request: "add atachment" a file from a URL

On 24-Feb-06, at 3:32 PM, Carl Karsten wrote:

> Public bug reported:
> https://launchpad.net/malone/bugs/32772
>
> Affects: malone (upstream)
> Severity: Normal
> Priority: (none set)
> Status: Unconfirmed
>
> Description:
> "add attachment" option to take a URL so that I can post files that
> arn't on my file system, like
> http://dev.personnelware.com/carl/temp/Feb24/ubuntu-installs/a/
> fdisk.txt

Something about this UI feels not quite right, but I'm not sure what.

kiko, mpt, what do you guys think of this suggestion?

Cheers,

--
Brad Bollenbach

> Something about this UI feels not quite right, but I'm not sure what.

I bet this is the "what": the user (like me) would be sending launchpad.net a URL, launchpad.net would do a wget/curl/whatever of that URL. Who knows where/what that URL really is.

I can think of 2 ways this could be exploited:

use launchpad.net as part of a dos attack on some poor URL

URL is meant to jam up launchpad.net - slow responce, big file, infanate loop redirect...

The user does have a launchpad account, but it isn't like that would really stop anyone.

On Thu, Mar 09, 2006 at 09:39:36PM -0000, Carl Karsten wrote:
> Public bug report changed:
> https://launchpad.net/malone/bugs/32772
>
> Comment:
> > Something about this UI feels not quite right, but I'm not sure what.
>
> I bet this is the "what": the user (like me) would be sending
> launchpad.net a URL, launchpad.net would do a wget/curl/whatever of that
> URL. Who knows where/what that URL really is.

If we do this, I would imagine that we would only link to the URL, we
wouldn't download the file and upload it to Launchpad.

> If we do this, I would imagine that we would only link to the URL, we wouldn't download the file and upload it to Launchpad.

The URL can break over time. The point of attaching it to a bug is so that it becomes part of the bug's lifespan.
What I am doing that brought this up: Ubuntu test box has an issue, I run a script that scp's /etc and /var/log to a /temp on my web server. I go to my stable box and compose the bug report. I hit the web server to find some choice bits to cut/paste into the report, I attach whatever files I think are relevant, and post the URL in case I missed anything. BUT, I don't intend on maintaining that set of files forever. Currently those files get deleted if they have not been accessed in 2 weeks. When attaching, I (or anyone that finds a file that should be attached) have to save the file localy, then post it. Given that the URL is sitting in the web browsers Address box, it would be handy if we could just cut/paste that into the launchpad upload form.

Implementing this could result in a security issue; I'm not sure we want launchpad going out and fetching user-supplied URLs