Moodle
  1. Moodle
  2. MDL-25215

File extension lost when using "Save As" field

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: 2.0
    • Fix Version/s: 2.0.2
    • Component/s: Files API
    • Labels:
      None
    • Difficulty:
      Easy
    • Affected Branches:
      MOODLE_20_STABLE
    • Fixed Branches:
      MOODLE_20_STABLE
    • Rank (Obsolete):
      9955

      Description

      Hi, I was using the "My private Files" function and when uploading a file, I decided to use the Save as field and set the name to "Test File", without the extension. When I clicked upload, the file got saved as "Test File", without the extension, so when you click download the browser doesn't know what type of file is downloading,

      I think it shouldn't matter what you put on the Save as field the file extension should remain unchanged, since sometimes teachers ask for the uploaded files to be named specifically (Ex, StudentCode-Lastname-Firstname.FileExtension ) and if the file extension is lost the teacher wont be able to open it later...

      Will

        Activity

        Hide
        Petr Skoda added a comment -

        Hello,

        unfortunately this is caused by our security design because we are intentionally sending incorrect file headers for any student uploaded files. I am afraid you will have to type the extension manually every time, sorry.

        Petr Skoda

        Show
        Petr Skoda added a comment - Hello, unfortunately this is caused by our security design because we are intentionally sending incorrect file headers for any student uploaded files. I am afraid you will have to type the extension manually every time, sorry. Petr Skoda
        Hide
        Willman Castaneda added a comment -

        Hi skodak,

        I'm not a security expert, but i don't see the diference between typing the extension and automatically adding it at the end of the "Save As" field,

        For Example when a student submits a file for an activity, if he use the "save as" field and the extension is lost, when the teacher is
        going to review the file the teacher won't be able to open it. I think in the best case scenario the teacher is going to send an email to the student asking him to re-submit the file, which doesn't imply that the teacher knows the reason why he can't open the file and when the student re-submits the file it's more likely that this happens again.

        If it is not possible to add the file extension automatically ( even with javascript ) I think that at least there should be a warning message or a help icon telling the user
        how to use the "Save As" option,

        Will

        Show
        Willman Castaneda added a comment - Hi skodak, I'm not a security expert, but i don't see the diference between typing the extension and automatically adding it at the end of the "Save As" field, For Example when a student submits a file for an activity, if he use the "save as" field and the extension is lost, when the teacher is going to review the file the teacher won't be able to open it. I think in the best case scenario the teacher is going to send an email to the student asking him to re-submit the file, which doesn't imply that the teacher knows the reason why he can't open the file and when the student re-submits the file it's more likely that this happens again. If it is not possible to add the file extension automatically ( even with javascript ) I think that at least there should be a warning message or a help icon telling the user how to use the "Save As" option, Will
        Hide
        John Pennington added a comment -

        This issue is becoming increasingly problematic for our faculty and students. We have many files that are unopenable to the users without changing the extension manually after download (which, while a natural thought for a developer, is hardly natural for a common user). I understand that this will likely not be "fixed", but I think that there needs to be some way of disabling the "Save as" option or, at a minimum, detecting a lack of extension and sending a confirmation box to the user to inform them of the repercussions of leaving off the extension.

        Show
        John Pennington added a comment - This issue is becoming increasingly problematic for our faculty and students. We have many files that are unopenable to the users without changing the extension manually after download (which, while a natural thought for a developer, is hardly natural for a common user). I understand that this will likely not be "fixed", but I think that there needs to be some way of disabling the "Save as" option or, at a minimum, detecting a lack of extension and sending a confirmation box to the user to inform them of the repercussions of leaving off the extension.
        Hide
        David Meuleman added a comment -

        Add me to the list of Moodle Admins with users who find the file upload mechanism to be confusing.

        Show
        David Meuleman added a comment - Add me to the list of Moodle Admins with users who find the file upload mechanism to be confusing.
        Hide
        Charles Fulton added a comment -

        For my part I think allowing a student (or any uploader) to assign an arbitrary file extension is itself problematic. Petr, could you give more details about how this security feature works?

        Show
        Charles Fulton added a comment - For my part I think allowing a student (or any uploader) to assign an arbitrary file extension is itself problematic. Petr, could you give more details about how this security feature works?
        Hide
        Petr Skoda added a comment -

        The security is tricky because ideally you should not allow any student to upload any file at all, we have to, so we try hard to confuse the browser so that it does not execute any javascript that might be included in it, we have to also prevent any execution of flash, etc.

        Show
        Petr Skoda added a comment - The security is tricky because ideally you should not allow any student to upload any file at all, we have to, so we try hard to confuse the browser so that it does not execute any javascript that might be included in it, we have to also prevent any execution of flash, etc.
        Hide
        John Pennington added a comment -

        One of Moodle's core purposes is to allow for students to upload assignments, so I hardly think that the ideal of disallowing student uploads is relevant to the discussion. Student uploads are a necessary part of Moodle's functionality, regardless of ideals. I understand that special security considerations need to be implemented, but security in direct opposition to core functionality is hardly worthwhile. Removing the "Save File As" option all together seems to be a much better security response than allowing extensionless files to confound hundreds of users. There must be some way to resolve this without any hindrance of key functionality.

        Show
        John Pennington added a comment - One of Moodle's core purposes is to allow for students to upload assignments, so I hardly think that the ideal of disallowing student uploads is relevant to the discussion. Student uploads are a necessary part of Moodle's functionality, regardless of ideals. I understand that special security considerations need to be implemented, but security in direct opposition to core functionality is hardly worthwhile. Removing the "Save File As" option all together seems to be a much better security response than allowing extensionless files to confound hundreds of users. There must be some way to resolve this without any hindrance of key functionality.
        Hide
        Robert Puffer added a comment -

        Pretty sure I got lost back there where we 1) are making "renamers" supply the extension and 2) are concerned about automatically retaining existing extensions as being less secure? Is there more explanation available for the feeble-minded?

        Show
        Robert Puffer added a comment - Pretty sure I got lost back there where we 1) are making "renamers" supply the extension and 2) are concerned about automatically retaining existing extensions as being less secure? Is there more explanation available for the feeble-minded?
        Hide
        Petr Skoda added a comment -

        Reopening, I though this is browser Save as, but this feature request is related to the "Save as" field in the repository UI. Sorry for the trouble.

        Petr

        Show
        Petr Skoda added a comment - Reopening, I though this is browser Save as, but this feature request is related to the "Save as" field in the repository UI. Sorry for the trouble. Petr
        Hide
        Martin Dougiamas added a comment -

        Yes, during an upload rename, we should definitely remember the original file extension and re-apply it if the user has deleted it.

        And probably also if they've changed it, right? I imagine if someone changes a .jpg to a .doc then we should probably save it as .doc.jpg.

        Show
        Martin Dougiamas added a comment - Yes, during an upload rename, we should definitely remember the original file extension and re-apply it if the user has deleted it. And probably also if they've changed it, right? I imagine if someone changes a .jpg to a .doc then we should probably save it as .doc.jpg.
        Hide
        Itamar Tzadok added a comment -

        I've just had an opportunity to try replacing an uploaded file which made me realize in a much clearer way the function of the 'Save As' field. Now if you want to replace the file you must Rename the file. I would expect though that the name of the file I uploaded would appear in the field by default. Renaming would then simply require adding something to the name without retyping it and would be much less confusing. To make it even less confusing than that the field may be hidden by default and appear with the file name only if the name needs to be renamed.

        The current behavior of not forcing the original file type is not inconsistent with standard rename behavior. Forcing the original file type makes sense in its own way but is not necessarily a desirable constraint.

        Show
        Itamar Tzadok added a comment - I've just had an opportunity to try replacing an uploaded file which made me realize in a much clearer way the function of the 'Save As' field. Now if you want to replace the file you must Rename the file. I would expect though that the name of the file I uploaded would appear in the field by default. Renaming would then simply require adding something to the name without retyping it and would be much less confusing. To make it even less confusing than that the field may be hidden by default and appear with the file name only if the name needs to be renamed. The current behavior of not forcing the original file type is not inconsistent with standard rename behavior. Forcing the original file type makes sense in its own way but is not necessarily a desirable constraint.
        Hide
        Dongsheng Cai added a comment -

        Pull request submitted, under review.

        Show
        Dongsheng Cai added a comment - Pull request submitted, under review.
        Hide
        Petr Skoda added a comment -

        reopening, please see the pull for details.

        Show
        Petr Skoda added a comment - reopening, please see the pull for details.
        Hide
        Dongsheng Cai added a comment -

        Submitted another pull request to detect if saveas filename already contains the same file extension.

        Show
        Dongsheng Cai added a comment - Submitted another pull request to detect if saveas filename already contains the same file extension.
        Hide
        Helen Foster added a comment -

        Fix included in latest 2.0.1+ weekly. Thanks everyone.

        Show
        Helen Foster added a comment - Fix included in latest 2.0.1+ weekly. Thanks everyone.

          People

          • Votes:
            4 Vote for this issue
            Watchers:
            15 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: