| 2007-08-26 00:33:24 |
Matthew Paul Thomas |
bug |
|
|
added bug |
| 2007-08-28 14:38:33 |
Diogo Matsubara |
malone: status |
New |
Confirmed |
|
| 2008-01-03 15:48:01 |
Matthew Paul Thomas |
description |
The fix for bug 73695 uses a bug attachment's filename as the description, if no other description was provided.
In bug 134761, someone apparently using Internet Explorer 7 has attached a file without a description, and *the entire pathname* has been used as the description ("C:\Documents and Settings\My Name\My Pictures\...").
In this case, nothing particularly exciting has been divulged. But it's not obvious that the entire pathname will be used, and it's easy to imagine one of an attached file's parent folders having a name that is embarrassing or that otherwise discloses information the commenter would rather keep private.
Perhaps we could use only that section of the browser-supplied filename that follows the last "/" or "\" character. |
The fix for bug 73695 uses a bug attachment's filename as the description, if no other description was provided.
In bug 134761, someone apparently using Internet Explorer 7 has attached a file without a description, and *the entire pathname* has been used as the description ("C:\Documents and Settings\My Name\My Pictures\...").
In this case, nothing particularly exciting has been divulged. But it's not obvious that the entire pathname will be used, and it's easy to imagine one of an attached file's parent folders having a name that is embarrassing or that otherwise discloses information the commenter would rather keep private.
Perhaps we could use only that section of the browser-supplied filename that follows the last "/" or "\" character.
(The equivalent in project releases is bug 174794.) |
|
| 2008-06-21 12:18:12 |
Matthew Paul Thomas |
description |
The fix for bug 73695 uses a bug attachment's filename as the description, if no other description was provided.
In bug 134761, someone apparently using Internet Explorer 7 has attached a file without a description, and *the entire pathname* has been used as the description ("C:\Documents and Settings\My Name\My Pictures\...").
In this case, nothing particularly exciting has been divulged. But it's not obvious that the entire pathname will be used, and it's easy to imagine one of an attached file's parent folders having a name that is embarrassing or that otherwise discloses information the commenter would rather keep private.
Perhaps we could use only that section of the browser-supplied filename that follows the last "/" or "\" character.
(The equivalent in project releases is bug 174794.) |
Since bug 73695 was fixed, Launchpad uses a bug attachment's filename (as provided by the browser) as the attachment's description, if no other description was provided. The Launchpad Librarian also preserves the filename in the attachment's URL.
Unfortunately, some browsers provide not just the filename, but the entire path of the file (as seen for example in bug 134761):
* Internet Explorer 6 or earlier
* Firefox 2 or earlier
* Opera (all versions up to at least 9.5)
* Safari (all versions up to at least 4 Developer Preview).
It's not obvious that the entire path will be disclosed, and it's easy to imagine one of an attached file's parent folders having a name that is embarrassing or that otherwise discloses information the commenter would rather keep private.
Perhaps we could use only that section of the browser-supplied filename that follows the last "/" or "\" character.
(The equivalent in project releases is bug 174794.) |
|
| 2008-06-21 12:18:12 |
Matthew Paul Thomas |
title |
Descriptionless file attached from Windows includes entire pathname |
File attached from some browsers discloses entire path |
|
| 2008-06-21 12:19:34 |
Matthew Paul Thomas |
description |
Since bug 73695 was fixed, Launchpad uses a bug attachment's filename (as provided by the browser) as the attachment's description, if no other description was provided. The Launchpad Librarian also preserves the filename in the attachment's URL.
Unfortunately, some browsers provide not just the filename, but the entire path of the file (as seen for example in bug 134761):
* Internet Explorer 6 or earlier
* Firefox 2 or earlier
* Opera (all versions up to at least 9.5)
* Safari (all versions up to at least 4 Developer Preview).
It's not obvious that the entire path will be disclosed, and it's easy to imagine one of an attached file's parent folders having a name that is embarrassing or that otherwise discloses information the commenter would rather keep private.
Perhaps we could use only that section of the browser-supplied filename that follows the last "/" or "\" character.
(The equivalent in project releases is bug 174794.) |
Since bug 73695 was fixed, Launchpad uses a bug attachment's filename (as provided by the browser) as the attachment's description, if no other description was provided. The Launchpad Librarian also preserves the filename in the attachment's URL.
Unfortunately, some browsers provide not just the filename, but the entire path of the file (as seen for example in bug 134761):
* Internet Explorer 6 or earlier
* Firefox 2 or earlier
* Opera (all versions up to at least 9.5)
* Safari (all versions up to at least 4 Developer Preview).
[Source: http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-June/015162.html]
It's not obvious that the entire path will be disclosed, and it's easy to imagine one of an attached file's parent folders having a name that is embarrassing or that otherwise discloses information the commenter would rather keep private.
Perhaps we could use only that section of the browser-supplied filename that follows the last "/" or "\" character.
(The equivalent in project releases is bug 174794.) |
|
| 2008-06-21 12:23:38 |
Matthew Paul Thomas |
description |
Since bug 73695 was fixed, Launchpad uses a bug attachment's filename (as provided by the browser) as the attachment's description, if no other description was provided. The Launchpad Librarian also preserves the filename in the attachment's URL.
Unfortunately, some browsers provide not just the filename, but the entire path of the file (as seen for example in bug 134761):
* Internet Explorer 6 or earlier
* Firefox 2 or earlier
* Opera (all versions up to at least 9.5)
* Safari (all versions up to at least 4 Developer Preview).
[Source: http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-June/015162.html]
It's not obvious that the entire path will be disclosed, and it's easy to imagine one of an attached file's parent folders having a name that is embarrassing or that otherwise discloses information the commenter would rather keep private.
Perhaps we could use only that section of the browser-supplied filename that follows the last "/" or "\" character.
(The equivalent in project releases is bug 174794.) |
Since bug 73695 was fixed, Launchpad uses a bug attachment's filename (as provided by the browser) as the attachment's description, if no other description was provided. The Launchpad Librarian also preserves the filename in the attachment's URL.
Unfortunately, some browsers provide not just the filename, but the entire path of the file (as seen for example in bug 134761):
* Internet Explorer 6 or earlier
* Firefox 2 or earlier
* Safari (all versions up to at least 4 Developer Preview).
In addition, Opera 9.5 returns "C:\fake_path\" followed by the filename, regardless of OS and regardless of the real path.
[Source: http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-June/015162.html]
It's not obvious that the entire path will be disclosed. In the case of Opera this results in mererly a non-sequitur appearing in Launchpad pages. But for the other browsers it's easy to imagine one of an attached file's parent folders having a name that is embarrassing or that discloses information the commenter would rather keep private.
Perhaps we could use only that section of the browser-supplied filename that follows the last "/" or "\" character.
(The equivalent in project releases is bug 174794.) |
|
| 2008-06-21 12:59:22 |
Matthew Paul Thomas |
description |
Since bug 73695 was fixed, Launchpad uses a bug attachment's filename (as provided by the browser) as the attachment's description, if no other description was provided. The Launchpad Librarian also preserves the filename in the attachment's URL.
Unfortunately, some browsers provide not just the filename, but the entire path of the file (as seen for example in bug 134761):
* Internet Explorer 6 or earlier
* Firefox 2 or earlier
* Safari (all versions up to at least 4 Developer Preview).
In addition, Opera 9.5 returns "C:\fake_path\" followed by the filename, regardless of OS and regardless of the real path.
[Source: http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-June/015162.html]
It's not obvious that the entire path will be disclosed. In the case of Opera this results in mererly a non-sequitur appearing in Launchpad pages. But for the other browsers it's easy to imagine one of an attached file's parent folders having a name that is embarrassing or that discloses information the commenter would rather keep private.
Perhaps we could use only that section of the browser-supplied filename that follows the last "/" or "\" character.
(The equivalent in project releases is bug 174794.) |
Since bug 73695 was fixed, Launchpad uses a bug attachment's filename (as provided by the browser) as the attachment's description, if no other description was provided. The Launchpad Librarian also preserves the filename in the attachment's URL.
Unfortunately, some browsers provide not just the filename, but the entire path of the file (as seen for example in bug 134761):
* Internet Explorer 7 or earlier (but not 8 or later)
* Firefox 2 or earlier
* Safari (all versions up to at least 4 Developer Preview).
In addition, Opera 9.5 returns "C:\fake_path\" followed by the filename, regardless of OS and regardless of the real path.
[Sources: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-June/015162.html>, <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/2008-June/015171.html>.]
It's not obvious that the entire path will be disclosed. In the case of Opera this results in mererly a non-sequitur appearing in Launchpad pages. But for the other browsers it's easy to imagine one of an attached file's parent folders having a name that is embarrassing or that discloses information the commenter would rather keep private.
Perhaps we could use only that section of the browser-supplied filename that follows the last "/" or "\" character.
(The equivalent in project releases is bug 174794.) |
|
| 2010-12-26 18:39:10 |
Curtis Hovey |
marked as duplicate |
|
174794 |
|
