Help
User avatar
Customer
4 Posts

Tickets by User

Ticket By blossom 01 Jul 2018, 23:48

Description:
when a user uploads a file the name of the file is based on the unixtime generated in the client side.
a sophisticated can easy tamper this value to override existing images on the server.

the a better solution would be to use the final file name returned from server after making sure that it's unique.

Component:
Chat Bar

ArrowChat Version:
2.1.x
User avatar
Customer
4 Posts

Ticket By blossom 02 Jul 2018, 00:28

i'm willing to donate an improvement to that code, if welcomed.
User avatar
Customer
4 Posts

Ticket By blossom 02 Jul 2018, 00:38

also, the maximum file size is client based. a user can upload a huge file and lock the hosting server.
User avatar
ArrowChat Team
2119 Posts

Ticket By Jason 09 Jan 2020, 20:13

Fixed max file size. Won't be fixing unix stamp for now as it's not a big enough concern to fix.

Status Change

Changed ticket status from "Awaiting team input" to "Fix completed"
Action performed by Jason » 09 Jan 2020, 20:13

Status Change

Changed ticket status from "New" to "Awaiting team input"
Action performed by Jason » 18 Oct 2018, 15:28