First, this is a fantastic little plugin and I'm surprised it's not more popular :)
Second, I was just curious how you were calculating the file name that gets pushed to the Umbraco Media service. I haven't looked at the code yet, nor have I checked how it's calculated on our production server.. But on my local machine my main concern is that it looks like it's appending sensitive system temp data paths onto the file, like this -
Sure enough it is storing those in my local user appdata/local/temp as the filename suggests, not the Umbraco AppData folder. I've been manually changing them, as it is a bit of a security concern on our end.
Any thoughts welcome on how to solve this little issue. I used package installer but happy to pull the source in and modify if that's the easiest approach. Probably boils down to how are you mapping to the "AppData" folder? Server.MapPath("~/AppData") would never do this, so I'm assuming it's some other method?
That's odd as the plugin should just be using the filename part of the path to actually name the media item.
It currently uses GetTempPath() to find the folder to download the image to - this must be how your sensitive data is getting in there, but this file is then added to the media library using just the filename as the name (using Path.GetFileNameWithoutExtension()) - confused at why it's not working in your case.
I will make a change so that the file will be downloaded to the App_Data folder instead (in a Mediastock subfolder).
Will upload a new version shortly - please test and let me know if your issue is resolved :-)
Thanks for giving it a try. I've made another change which hopefully will sort it. Let me know if your issue is resolved.
Also fixed the download link etc, so you will be able to install via Umbraco, and the download link points to the right file. (The GUI to manage a project on here is less than helpful!)
Yup this works from the backoffice install package process now.
The file name, however, still appends the entire path. Just for redundancy sake, I tested this on our production server as well, and the file name's are set to c-inetpub-wwwroot-thepathtothesite.com-wwwroot etc. visible to forward facing users.
Security/Change Saved File Name?
Hi Simon,
First, this is a fantastic little plugin and I'm surprised it's not more popular :)
Second, I was just curious how you were calculating the file name that gets pushed to the Umbraco Media service. I haven't looked at the code yet, nor have I checked how it's calculated on our production server.. But on my local machine my main concern is that it looks like it's appending sensitive system temp data paths onto the file, like this -
c-users-my-windows-username-appdata-local-temp-unsplash-unsplash-search-term- unsplashid.jpg
Sure enough it is storing those in my local user appdata/local/temp as the filename suggests, not the Umbraco AppData folder. I've been manually changing them, as it is a bit of a security concern on our end.
Any thoughts welcome on how to solve this little issue. I used package installer but happy to pull the source in and modify if that's the easiest approach. Probably boils down to how are you mapping to the "AppData" folder? Server.MapPath("~/AppData") would never do this, so I'm assuming it's some other method?
Cheers again, awesome job!! -Marc
Hi Marc,
That's odd as the plugin should just be using the filename part of the path to actually name the media item.
It currently uses
GetTempPath()to find the folder to download the image to - this must be how your sensitive data is getting in there, but this file is then added to the media library using just the filename as the name (usingPath.GetFileNameWithoutExtension()) - confused at why it's not working in your case.I will make a change so that the file will be downloaded to the
App_Datafolder instead (in a Mediastock subfolder).Will upload a new version shortly - please test and let me know if your issue is resolved :-)
Hi Marc,
Can you confirm whether your issue was resolved please?
Thanks :-)
Hi Simon,
Sorry for the delay - Just uninstalled via package manager through back office and when i reinstalled through backoffice I receive
Wrong Local header signature: 0x474E5089 Exception Details ICSharpCode.SharpZipLib.Zip.ZipException: Wrong Local header signature: 0x474E5089
Upon further investigation it looks like the the package is a PNG file. Click on "Download Package" here https://our.umbraco.org/projects/backoffice-extensions/media-stock/
Spoke too soon - I was able to install 1.1 with the package file zip at the bottom (the primary Download button still points to a PNG file though).
I searched for a file, added to library, and here is the stored file name -
/media/51983/c-bitbucket-removing-my-clients-name-site-app_data-temp-mediastock-unsplash-dog-20170210145116.jpg
I guess now you know where my bitbucket folder is lol C:\Bitbucket
Hi Marc,
Thanks for giving it a try. I've made another change which hopefully will sort it. Let me know if your issue is resolved.
Also fixed the download link etc, so you will be able to install via Umbraco, and the download link points to the right file. (The GUI to manage a project on here is less than helpful!)
Many thanks
Thanks Simon,
Yup this works from the backoffice install package process now.
The file name, however, still appends the entire path. Just for redundancy sake, I tested this on our production server as well, and the file name's are set to c-inetpub-wwwroot-thepathtothesite.com-wwwroot etc. visible to forward facing users.
I just dug up something I posted a while back, https://our.umbraco.org/projects/developer-tools/cmsimport/feature-request/81364-absolute-image-url-or-multiple-delimited-urls-imported-as-media-picker-or-multiple-media-picker
But specifically, this line -
media.SetValue("umbracoFile", Path.GetFileName(pathToTempLocal), s);
might help you here? Are you calling this after you Create the media?
Hi Marc
Sorry for the delay - I have just uploaded v1.3 which should fix the problem!
Please can you give it a try and confirm?
Nice one, looks like you sorted this out. Production worthy!
Thanks a bunch of tackling this, Simon. Have been itching to add this to a handful of client projects..
If you ever need anything else on this package feel free to hit me up - happy to test and/or collaborate.
Cheers, and h5yr -Marc
No problem thanks for testing; would you mind marking the topic as solved for me please? I don't think I can do it myself.
Sure, gave you a h5 as well :)
is working on a reply...