UBB.threads PHP Forum Software Community Forums UBB.threads 7 Bug Reports Non Bugs Attachment not found

I have an attachment that a user attached that appears to create an invalid link for it.

http://www.kixtart.org/forums/attach/15-Users.DBF.ini

The file exists at that location so it was uploaded correctly and the system has permissions to access the file so not sure exactly what's wrong.

It appears that files can't be downloaded from there but images can.

http://kixtart.org/forums/attach/8-SizeVBS.PNG

On another note it would appear that UBB is putting a number in front of the uploaded attachment. Why?

Okay just did a test of my own. It seems that the link for anything besides an image won't donwload.

http://www.kixtart.org/forums/ubbthreads.php?ubb=download&Number=16

If you click that link you get
http://www.kixtart.org/forums/attach/16-Users.DBF.ini

But it still won't download the file you get a 404 error.

.

The number in front of the attachment is so there are no collisions (such as users uploading the same named images to your site).

As for the file in question; I'm thinking it's because of the extension .ini; does IIS have some directive that blocks certain filetypes from being dowloanded?

That's what I'm initially thinking but renamed a file to just .db and it didn't like that either.

I'll try one with a zip and see if that works.

As for the number strategy then why not just obfuscate the whole thing like most sites do.

Something like:
mysite.com/folder/^^*H#%&w208

would equal something like:
mysite.com/folder/mynewfile.zip

The filename ^^*H#%&w208 would be unique maybe use some GUID type filename creator (I'm sure PHP has something like that built-in or someone has created a script for it already)

Then the database stores that unique name AND the real name and when it downloads it to the client it renames it to the real name.

.

Well that is odd. It won't open/download a zip file either.

I'll have to investigate what's going on there.

Control Panel » Feature Settings » Attachments » Allowed Attachment File Extensions:

Separate with a comma.
.php,.php3,.php4,.cgi,.pl,.exe,.bat,.reg not accepted.

That is for uploads. Outside of the forum in IE/FF you can't download the file even though it's there on the server so I'm betting it's not related to UBBT and just coincidence that I found it via UBBT.

.

sounds more like an IIS issue to me :shrug: never heard of such a thing on a *nix server lol

Well as it turns out IIS 6 does not serve up unknown MIME Types on purpose for security reasons.
http://support.microsoft.com/kb/326965

Creating MIME Types for a Web site or directory (IIS 6.0)
http://www.microsoft.com/technet/pr...ad27-4800-adfb-13c4ae39a602.mspx?pf=true

MIME Types in IIS 4/5
http://www.microsoft.com/technet/pr.../iis/maintain/featusability/mimeiis.mspx

David Wang: HOWTO: Allow file downloads (including .exe) on IIS 6.0
http://blogs.msdn.com/david.wang/archive/2005/07/11/Allow_file_downloads_on_IIS_6.aspx

David Wang: HOWTO: Allow file downloads (including .exe) on IIS 6.0, Part 2
http://blogs.msdn.com/david.wang/ar...loads-including-exe-on-IIS-6-Part-2.aspx

David wang: HOWTO: IIS 6 Request Processing Basics, Part 1
http://blogs.msdn.com/david.wang/ar..._6_Request_Processing_Basics_Part_1.aspx

David Wang: Why Wildcard application mapping can disable Default Document resolution
http://blogs.msdn.com/david.wang/ar...disable_Default_Document_resolution.aspx

David Wang: Thoughts on IIS Security vs Apache
http://blogs.msdn.com/david.wang/archive/2005/09/30/Thoughts_on_IIS_Security_vs_Apache.aspx

David Wang: Thoughts on IIS Security vs Apache, Part 2
http://blogs.msdn.com/david.wang/archive/2005/10/01/Thoughts-on-IIS-Security-vs-Apache-Part-2.aspx


I've made the required changes and now my attachment folder allows some of the other file types to be downloaded.


.

lol i'm the man

Sir yes sir, I agreed it had to be IIS. Just could not see how UBBT could be involved except for the file name.

@Rick
If you can please think of another way to handle attachments without pre-pending a number to it. I would really like to see attachments retain their ORIGINAL file names like other Web apps do.

Thanks.

this would be hard, considering the risk of file collisions...

Well I've not programmed in PHP but have worked in VB and we setup an FTP program that assigned a unique number to files so the user would never know the real file name so they could not manually download the file and there were over 5 million files and none of them were an issue with same file name even though users could upload/download files.

Can't say I've ever been on a system that handled files this way (not saying there are not other apps out there that don't, but none that come to mind).

I see it as a very easy task using MySQL and auto generated unique keys. Add a file it gives it a unique name, but also stores what the 'REAL' name is and even if it has to do a temporary file rename or something it then gives the user back the file with the REAL name.

I think the file manager needs severely updated, it's way too basic at current; its one of th emany things on my huge feature list request