[Vtigercrm-developers] Uploading att to comment

Uma S uma.s at vtiger.com
Tue Jun 16 15:14:45 GMT 2020


Hi Team,

As file name disclosure will lead to an xss vulnerability through
end-point, We have made these changes not to disclose filename.

On Tue, Jun 16, 2020 at 1:04 PM Alan Lord <alanslists at gmail.com> wrote:

> There were several patches committed to master a while ago for this:
>
>
> https://code.vtiger.com/vtiger/vtigercrm/merge_requests?%20utf8=%C3%A2%C2%9C%C2%93&issue_search=obscu&state=all&scope=all&assignee_id=&author_id=&milestone_id=&label_id=
>
> All attachments now are stored as an md5 hash.
>
> HTH
>
> Al
>
> On 16/06/2020 00:48, Tony Sandman wrote:
> > Gents, while uploading attachment to ticket comment, the original file
> > name changing to 547094_033032447bc4a81fdfc7e50119360452.pdf and similar.
> > That random naming make document not accessible.
> > Any tips on that?
> >
> > Cheers
> >
> > _______________________________________________
> > http://www.vtiger.com/
> >
>
>
> _______________________________________________
> http://www.vtiger.com/



-- 
With
Best Regards
Uma.S
Vtiger Team
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vtigercrm.com/pipermail/vtigercrm-developers/attachments/20200616/ee8a4a34/attachment.html>


More information about the vtigercrm-developers mailing list