MyBB Community Forums

Currently in MyBB 1.6.x and 1.8.x when a file is uploaded to the system you are using the md5 of a random string to generate the filename as seen on line 491 of functions_upload.php

$filename = "post_".$mybb->user['uid']."_".TIME_NOW."_".md5(random_str()).".attach";

My suggestion is when a file is uploaded it should be saved to a temporary location and then the filename should be generated using sha1_file(...) instead of md5(random_str())

This would provide a path to allow for a plugin or core feature to detect duplicates by scanning the attachments table looking for a match in the filename column for a given sha1 hash.

The random string is used to protected the attachments. Otherwise it may be possible to gain access to attachments you are not allowed to see.

If that is the design decision behind the current strategy that is understandable. As with all development issues there are multiple ways to handle the situation.

With that in mind I would amend my suggestion to add a new column to the attachments table which stores the sha1 hash of the attachment. That would maintain the protection aspect and still provide the possibility for the additional functionality I originally mentioned.

Sounds like it could be useful to have the file hash available for definite. It also means it could be displayed if admins wished to display it (eg: software downloads where it's desirable to know the hash of what you're downloading).