Bug 680 - download.phtml scripting error
: download.phtml scripting error
Status: NEW
: Chameleon
Widget
: 1.99
: PC Windows XP
: P3 major
: FUTURE
Assigned To:
:
:
:
:
:
  Show dependency treegraph
 
Reported: 2004-09-30 11:39 by
Modified: 2004-10-21 14:14 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2004-09-30 11:39:29
Been having problems with the download.phtml file located in the widgets 
folder.

This is the problem area:

//make sure file_name is valid
if ( stristr($file_name, "http") !== false ){
    echo "file name $file_name is not valid";
    exit;
}else{
    $file_name = "http://".$_SERVER['HTTP_HOST']."/".$file_name;
}

file_name is supposed to contain: "full web file name to download" Does that 
mean the URL?

The if statement basically looks to see if http is included, and if it is, 
then exit with the error message. If it doesnt, then build a URL.

All the widgets are sending a full URL, so this is erroring every time. Its an 
easy fix on my end to work around that if statement, however a work around may 
not comply with the original intent of the statement. Is it supposed to be 
rejecting URL's? I assume it should be the reverse, reject non-URL's so that 
folks can't put in file paths? Further I think it would be benifitial to allow 
it to only work in the mapserver temp folder. So far thats where the widgets 
are all dropping the file, and there are no scripts or anything in that folder 
to worry about someone grabbing.

At any rate it needs some tweaking.

Ken
------- Comment #1 From 2004-10-21 14:14:15 -------
Changed target to FUTURE.