0016986: file_download.php adds buffer trash to file contents - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update

0016986	mantisbt	security	public	2014-02-18 06:48	2014-12-08 02:08

Reporter	badfiles	Assigned To	atrol
Priority	high	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.3.0dev
Target Version	1.3.0-beta.1

Summary	0016986: file_download.php adds buffer trash to file contents
Description	Storage type is DATABASE. ManisBT works over https. PHP version 5.3 There is a lot of junk output appended to file contents. The junk might contain sensitive information.
Tags	No tags attached.
Attached Files	config (1,716 bytes)

atrol 2014-02-18 07:24 developer ~0039457	badfiles, I was not able to reproduce your problem. Please provide detailed, step-by-step instructions to reproduce the issue. Additional information listed below may also be useful: Exact version of MantisBT, PHP, Database, Web server and Operating System Relevant customizations (e.g. changes in config_inc.php, etc) Installed plugins or custom functions ? Was the MantisBT source code modified in any way ?

badfiles 2014-02-18 07:56 reporter ~0039458 Last edited: 2014-02-18 08:09	PHP/5.3.2-1ubuntu4.22 Apache/2.2.14 (Ubuntu) mantisbt from git (commit c454b2c4d173ac4ec997a5f2a0ec25c253a6deb2) code not modified. no plugins or custom functions used MySQL Server version: 5.1.73-0ubuntu0.10.04.1 Now I test the issue on a text file in the database. It's content previews correctly, but being downloaded it contains additional junk information. Same situation happens with any file type. the connection type does not matter (http or https) the database in not an issue, content preview works fine I suppose the problem is in file_download.php

atrol 2014-02-18 09:22 developer ~0039459	Got it, thanks badfiles

MantisBT: master 053761ef 2014-02-18 04:20 atrol Details Diff	Fix 0016986: file_download.php adds buffer trash to file contents		Affected Issues 0016986
	mod - file_download.php		Diff File