Thread: [Phpwebsite-developers] Problem uploading documents in 0.10.1

Brought to you by: brownbw, jtickle, verdonv

phpwebsite-developers

[Phpwebsite-developers] Problem uploading documents in 0.10.1

From: Tony M. <to...@ht...> - 2005-04-12 04:22:13

Ever since I have upgraded to 0.10.1, I have been unable to upload 
documents.  I will get an upload has failed message.  I thought it was a 
permissions problem, but I have 777 from the branch on down.

Has anyone else had this sort of problem and is there any idea how to fix 
it?

Thanks,
-Tony

-- 
Hometown Enterprises Internet Services
Professional, affordable web design and hosting.
http://www.hteis.com/

Re: [Phpwebsite-developers] Problem uploading documents in 0.10.1

From: Shaun M. <sh...@ae...> - 2005-04-12 06:58:23

On 12 Apr 2005, at 05:21, Tony Miller wrote:

> Ever since I have upgraded to 0.10.1, I have been unable to upload
> documents.  I will get an upload has failed message.  I thought it was 
> a
> permissions problem, but I have 777 from the branch on down.
>
> Has anyone else had this sort of problem and is there any idea how to 
> fix

This might be the security fix interfering with the upload. It scans a 
file for a particular string, which is possibly in the file you're 
uploading.

Test it by switching $parse_all_files = TRUE; in 
conf/security_config.php to false.

I wonder if it might be an idea to switch off the security fix if the 
person uploading is a deity or even an admin?

Shaun
aegis design - http://www.aegisdesign.co.uk

Re: [Phpwebsite-developers] Problem uploading documents in 0.10.1

From: Tony M. <to...@ht...> - 2005-04-12 22:54:01

On Tue, 12 Apr 2005, Shaun Murray wrote:

> 
> On 12 Apr 2005, at 05:21, Tony Miller wrote:
> 
> > Ever since I have upgraded to 0.10.1, I have been unable to upload
> > documents.  I will get an upload has failed message.  I thought it was 
> > a
> > permissions problem, but I have 777 from the branch on down.
> >
> > Has anyone else had this sort of problem and is there any idea how to 
> > fix
> 
> This might be the security fix interfering with the upload. It scans a 
> file for a particular string, which is possibly in the file you're 
> uploading.
> 
> Test it by switching $parse_all_files = TRUE; in 
> conf/security_config.php to false.
> 
> I wonder if it might be an idea to switch off the security fix if the 
> person uploading is a deity or even an admin?

Yup, that's it.  And it had stopped every single .PDF that I tried to 
upload.  I can't figure out how church bulletins could be malicious.  
Could it be that the security algorithm needs to be tweaked?

Thanks for the help Shaun. :)

-Tony

-- 
Hometown Enterprises Internet Services
Professional, affordable web design and hosting.
http://www.hteis.com/

Re: [Phpwebsite-developers] Problem uploading documents in 0.10.1

From: Shaun M. <sh...@ae...> - 2005-04-13 09:37:01

On 12 Apr 2005, at 23:53, Tony Miller wrote:

> Yup, that's it.  And it had stopped every single .PDF that I tried to
> upload.  I can't figure out how church bulletins could be malicious.
> Could it be that the security algorithm needs to be tweaked?
>

One of my users was complaining about image uploads in announce today 
as well. Same problem.

It definitely needs tweaking as now it's so secure you can't get any 
work done!

Shaun
aegis design - http://www.aegisdesign.co.uk

Re: [Phpwebsite-developers] Problem uploading documents in 0.10.1

From: Shaun M. <sh...@ae...> - 2005-04-13 10:45:45

On 13 Apr 2005, at 10:36, Shaun Murray wrote:

>
> On 12 Apr 2005, at 23:53, Tony Miller wrote:
>
>> Yup, that's it.  And it had stopped every single .PDF that I tried to
>> upload.  I can't figure out how church bulletins could be malicious.
>> Could it be that the security algorithm needs to be tweaked?
>>
>
> One of my users was complaining about image uploads in announce today 
> as well. Same problem.
>
> It definitely needs tweaking as now it's so secure you can't get any 
> work done!

Just to follow on...

Just removing dl\( from the list seems to clear up most problems. 
That's just a little too common in uploads.

I don't know what effect that has for security though as it's obviously 
opening up a tiny doorway. dl seems a odd php function to block 
although I guess in conjunction with another exploit, being able to 
load up apache modules at runtime might be useful to a hacker.

Shaun
aegis design - http://www.aegisdesign.co.uk