starred/papermerge

Fork 0

mirror of https://github.com/ciur/papermerge.git synced 2026-04-25 20:15:58 +03:00

[GH-ISSUE #237] Cannot rename a document #189

New issue

Closed

opened 2026-02-25 21:31:23 +03:00 by kerem · 8 comments

kerem commented

2026-02-25 21:31:23 +03:00

Owner

Originally created by @okoetter on GitHub (Dec 1, 2020).
Original GitHub issue: https://github.com/ciur/papermerge/issues/237

Originally assigned to: @ciur on GitHub.

Description
After update from 1.5.0 to 1.5.2 I am not able to rename a document. No error message shown.

Expected
Document renamed and new file name displayed in breadcrumb navigation.

Actual
Nothing after rename dialog closes.

Info:

OS: Linuxserver Docker image on Synology NAS
FF 83.0
Database Linuxserver Docker image provides
Papermerge Version 1.5.2

I am aware that I should not post issues for the Linuxserver docker image. And your demo installation works just fine. So maybe I have a problem with older documents being upgraded - maybe some permissions problems.
My intention with this issue is to ask whether there is a logfile that may show further info to help me investigate this issue?

Originally created by @okoetter on GitHub (Dec 1, 2020). Original GitHub issue: https://github.com/ciur/papermerge/issues/237 Originally assigned to: @ciur on GitHub. **Description** After update from 1.5.0 to 1.5.2 I am not able to rename a document. No error message shown. **Expected** Document renamed and new file name displayed in breadcrumb navigation. **Actual** Nothing after rename dialog closes. **Info:** - OS: Linuxserver Docker image on Synology NAS - FF 83.0 - Database Linuxserver Docker image provides - Papermerge Version 1.5.2 I am aware that I should not post issues for the Linuxserver docker image. And your demo installation works just fine. So maybe I have a problem with older documents being upgraded - maybe some permissions problems. My intention with this issue is to ask whether there is a logfile that may show further info to help me investigate this issue?

kerem

2026-02-25 21:31:23 +03:00

closed this issue
added the
bug
label

kerem commented

2026-02-25 21:31:24 +03:00

Author

Owner

@ciur commented on GitHub (Dec 1, 2020):

@okoetter, thanks for quick heads-up.

Yes, indeed there is a problem. In hurry I messed it up.
You can confirm that we speak about same problem. If your browser is firefox or chrome, when renaming a document you will see "file_orig" field is required message.

To mitigate XSS vulnerabilities I added additional checks. However, I forget to remove legacy document fields on document model. Bad, Eugen!

@ciur commented on GitHub (Dec 1, 2020): @okoetter, thanks for quick heads-up. Yes, indeed there is a problem. In hurry I messed it up. You can confirm that we speak about same problem. If your browser is firefox or chrome, when renaming a document you will see "file_orig" field is required message. ![Screenshot from 2020-12-01 12-07-05](https://user-images.githubusercontent.com/24827601/100733017-ddf40080-33cd-11eb-9220-76b77418fc2f.png) To mitigate XSS vulnerabilities I added additional checks. However, I forget to remove legacy document fields on document model. Bad, Eugen!

kerem commented

2026-02-25 21:31:24 +03:00

Author

Owner

@ciur commented on GitHub (Dec 1, 2020):

I will fix in asap. Thanks for heads-up again!

@ciur commented on GitHub (Dec 1, 2020): I will fix in asap. Thanks for heads-up again!

kerem commented

2026-02-25 21:31:24 +03:00

Author

Owner

@ciur commented on GitHub (Dec 1, 2020):

@okoetter , I just pushed 1.5.3 which should fix this issue.
Could you please test against 1.5.3 ?

@ciur commented on GitHub (Dec 1, 2020): @okoetter , I just pushed 1.5.3 which should fix this issue. Could you please test against 1.5.3 ?

kerem commented

2026-02-25 21:31:24 +03:00

Author

Owner

@okoetter commented on GitHub (Dec 1, 2020):

I can confirm that it works with the new version, thank you!
But I still get 1.5.2 shown at the bottom right, did you forget to bump the version number?

@okoetter commented on GitHub (Dec 1, 2020): I can confirm that it works with the new version, thank you! But I still get 1.5.2 shown at the bottom right, did you forget to bump the version number?

kerem commented

2026-02-25 21:31:24 +03:00

Author

Owner

@okoetter commented on GitHub (Dec 1, 2020):

BTW: I just wanted to rename a file with a date in the format "10/2020" in the name. That did not work, json result was "Enter only safe characters.". I then used "10-2020" and that worked. Maybe the error message should be shown to the user!

@okoetter commented on GitHub (Dec 1, 2020): BTW: I just wanted to rename a file with a date in the format "10/2020" in the name. That did not work, json result was "Enter only safe characters.". I then used "10-2020" and that worked. Maybe the error message should be shown to the user!

kerem commented

2026-02-25 21:31:24 +03:00

Author

Owner

@l4rm4nd commented on GitHub (Dec 1, 2020):

@ciur

Escaping all user input properly should mitigate XSS attacks. There is no need for further regex validations, which disallow potentially necessary special chars like / as @okoetter mentioned.

@l4rm4nd commented on GitHub (Dec 1, 2020): @ciur Escaping all user input properly should mitigate XSS attacks. There is no need for further regex validations, which disallow potentially necessary special chars like / as @okoetter mentioned.

kerem commented

2026-02-25 21:31:24 +03:00

Author

Owner

@ciur commented on GitHub (Dec 1, 2020):

oh, stupid me, 😠 ! When I fixed that XSS thingy, I thought - who would need a slash in their file name ❓ ❔ ❓
I will fix format "10/2020" in the name. That did not work, json result was "Enter only safe characters." problem by removing regexp validation as @l4rm4nd mentioned.
But won't rush this time for the next quick 1.5.4 release. I will wait for other bugs to pile up, fix them, test them properly, and then release 1.5.4 towards end of December 2020.

@l4rm4nd, @okoetter thank you guys for your contributions!
Feels great to have onboard a security guy and an external user of the system! Like a real company!

@ciur commented on GitHub (Dec 1, 2020): oh, stupid me, :angry: ! When I fixed that XSS thingy, I thought - ``who would need a slash in their file name`` :question: :grey_question: :question: I will fix `` format "10/2020" in the name. That did not work, json result was "Enter only safe characters." `` problem by removing regexp validation as @l4rm4nd mentioned. But won't rush this time for the next quick 1.5.4 release. I will wait for other bugs to pile up, fix them, test them properly, and then release 1.5.4 towards end of December 2020. @l4rm4nd, @okoetter thank you guys for your contributions! Feels great to have onboard a security guy and an external user of the system! Like a real company!

kerem commented

2026-02-25 21:31:24 +03:00

Author

Owner

@ciur commented on GitHub (Dec 23, 2020):

fixed in 1.5.4

@ciur commented on GitHub (Dec 23, 2020): fixed in 1.5.4