[Xerte-dev] Re: Problems uploading Media

Wed Jul 17 09:53:08 BST 2013

It seems that this in a .htaccess file could fix to turn filtering off for that file... thanks Ron your suggestion helped narrow it down! Seems to be a common problem with Flash uploaders in particular...

Not really sure whether this needs to be in the same folder as the upload.php file or, if it goes in root or elsewhere, whether the path to upload.php needs added... Anyone?

<IfModule mod_security.c>
<Files upload.php>
SecFilterEngine Off
SecFilterScanPOST Off
</Files>
</IfModule>

Regards,

John Smith
Learning Technologist
School of Health & Life Sciences
Glasgow Caledonian University

-----Original Message-----
From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
Sent: Wednesday, July 17, 2013 9:39 AM
To: xerte-dev at lists.nottingham.ac.uk
Subject: [Xerte-dev] Re: Problems uploading Media

Yes Ron you are spot on. Its with the guys server team to figure out what needs to go in to allow upload traffic to pass... At least we know how to spot it in future...

Still curious as to why it allows media and quota to upload but blocks flash upload which is supposed to be using same multipart-formdata format. Flash uploader must be breaking something. Server log said something about a missing boundary...

We could be doing with a wiki to record all this stuff though.

Regards

John Smith
Learning Technologist
School of Health and Life Sciences

Sent from Samsung Galaxy SII

Ron Mitchell <ronm at mitchellmedia.co.uk> wrote:

Sorry I've not been contributing lately - still busy with all sort of other stuff but just skim reading this and may be wrong but is the reference to mod_sec related to the Apache mod_security module? I've hit promlems with that in the past (mostly Moodle) where you have to add exceptions to the mod_security rules to allow the requests being blocked.

HTH
Ron

-----Original Message-----
From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
Sent: 17 July 2013 09:05
To: xerte-dev at lists.nottingham.ac.uk
Subject: [Xerte-dev] Re: Problems uploading Media

Wizard -> Upload.php uses files array too, multipart-formdata  so think that bit is ok... Its only the cookie passing that is different? No?

I was wondering though if its the fact that we pickup the session token and pass it back to upload in the querystring that is being flagged. But I've seen many a site doing that...

Regards

John Smith
Learning Technologist
School of Health and Life Sciences

Sent from Samsung Galaxy SII

"Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote:

Sorry for not being more on this

Media and quote uses the file array in php, which might explain this.

XML is just a string

I suspect different policies on both hence security firing off.

If still an issue try print_r files,post,get and request

See if they behave differently?

On 16 Jul 2013, at 15:48, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote:

I need more than a pint!!

I’m glad we’ve proved though that it’s not Xerte. Why Media & Quota tab  is able to do a post though is strange and XML to save.php

Regards,

John Smith
Learning Technologist
School of Health & Life Sciences
Glasgow Caledonian University

From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney
Sent: Tuesday, July 16, 2013 3:44 PM
To: For Xerte technical developers
Subject: [Xerte-dev] Re: Problems uploading Media

That’s great work there, thanks a lot. Hoist yourself a pint o’ heavy on me.

From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
Sent: 16 July 2013 14:55
To: For Xerte technical developers
Subject: [Xerte-dev] Re: Problems uploading Media

And now I’ve run the bioset server through a request method scanner and it reports the same… POST methods are being filtered through /mod_sec.html

Filtered Request Methods (Not 200 OR 405)

POST
POST / HTTP/1.0
Host: uol-bioset.com<http://uol-bioset.com>
Accept-Encoding: deflate, gzip
Accept: */*
Referer: http://www.askapache.com/online-tools/request-method-scanner/

HTTP/1.1 302 Found
Date: Tue, 16 Jul 2013 13:50:07 GMT
Server: Apache
Location: /mod_sec.html
Content-Length: 197
Connection: close
Content-Type: text/html; charset=iso-8859-1

Regards,

John Smith
Learning Technologist
School of Health & Life Sciences
Glasgow Caledonian University

From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
Sent: Tuesday, July 16, 2013 2:47 PM
To: For Xerte technical developers
Subject: [Xerte-dev] Re: Problems uploading Media

Ah didn’t read as far as I should have… 302 also returns a redirection URL, which in this case is /mod_sec.html

<image001.jpg>

http://www.askapache.com/htaccess/modsecurity-htaccess-tricks.html

1.       Request URL:
http://uol-bioset.com/xerte/modules/xerte/engine/upload.php?path=USER-FILES/15-jjs-Nottingham/media/&BROWSER=safari&AUTH=xerte&PHPSESSID=9c0a954bc3d99c4eabff83204628g53u
2.       Request Method:
POST
3.       Status Code:
302 Found
4.       Request Headersview source
1.       Accept:
*/*
2.       Accept-Encoding:
gzip,deflate,sdch
3.       Accept-Language:
en-US,en;q=0.8
4.       Connection:
keep-alive
5.       Content-Length:
595710
6.       Content-Type:
multipart/form-data; boundary=----------KM7Ef1KM7Ij5Ef1ae0Ef1Ef1gL6GI3
7.       Cookie:
PHPSESSID=9c0a954bc3d99c4eabff83204628g53u
8.       Host:
uol-bioset.com<http://uol-bioset.com>
9.       Origin:
http://uol-bioset.com
10.    Referer:
http://uol-bioset.com/xerte/edit.php?template_id=15
11.    User-Agent:
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36
5.       Query String Parametersview sourceview URL encoded
1.       path:
USER-FILES/15-jjs-Nottingham/media/
2.       BROWSER:
safari
3.       AUTH:
xerte
4.       PHPSESSID:
9c0a954bc3d99c4eabff8324ba411514
6.       Request Payload
1.       ------------KM7Ef1KM7Ij5Ef1ae0Ef1Ef1gL6GI3 Content-Disposition: form-data; name="Filename" Hydrangeas.jpg ------------KM7Ef1KM7Ij5Ef1ae0Ef1Ef1gL6GI3 Content-Disposition: form-data; name="Filedata"; filename="Hydrangeas.jpg" Content-Type: application/octet-stream ------------KM7Ef1KM7Ij5Ef1ae0Ef1Ef1gL6GI3 Content-Disposition: form-data; name="Upload" Submit Query ------------KM7Ef1KM7Ij5Ef1ae0Ef1Ef1gL6GI3--
7.       Response Headersview source
1.       Connection:
Keep-Alive
2.       Content-Length:
197
3.       Content-Type:
text/html; charset=iso-8859-1
4.       Date:
Tue, 16 Jul 2013 13:14:18 GMT
5.       Keep-Alive:
timeout=5, max=100
6.       Location:
/mod_sec.html
7.       Server:
Apache

Regards,

John Smith
Learning Technologist
School of Health & Life Sciences
Glasgow Caledonian University

From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
Sent: Tuesday, July 16, 2013 2:39 PM
To: For Xerte technical developers
Subject: [Xerte-dev] Re: Problems uploading Media

And so the plot thickens…

On uploading some media on the bioset server and monitoring the network traffic in Chrome Dev Tools, you get this:

<image002.png>

Notice the ‘302 – Found’ code. Now I wasn’t sure if that was right or not. 302-Found usually means “Yes the file is here so please submit again!!”. So I tried on my server and get this:

<image003.png>

So what I expected, a 200 OK code… The thing is, if I copy the bioset url that received the 302 code, …upload.php?path=USER-FILES/15-jjs-Nottingham/media/&BROWSER=safari&AUTH=xerte&PHPSESSID=sessid_removed

Then YES, It does update the parameters.txt file so upload.php is being executed on the GET request but not on a POST request…

Anyone know what could cause that on a Linux server?? I definitely think that this is a server issue and not the code but why??

Regards,

John Smith
Learning Technologist
School of Health & Life Sciences
Glasgow Caledonian University

From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
Sent: Tuesday, July 16, 2013 1:48 PM
To: For Xerte technical developers
Subject: [Xerte-dev] Re: Problems uploading Media

I have full access as user and admin…

Not to the filesystem…

But as far as I can ascertain, upload.php is never being called. The very first line is now:

file_put_contents('parameters.txt', var_export($_GET, true), true);

and when you try to upload the media it says successful but the parameters.txt file hasn’t changed… at first I thought we had changed /modules/xerte/engine/upload.php and the site one was being called but that doesn’t appear to be the case either…

Regards,

John Smith
Learning Technologist
School of Health & Life Sciences
Glasgow Caledonian University

From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney
Sent: Tuesday, July 16, 2013 1:39 PM
To: For Xerte technical developers
Subject: [Xerte-dev] Re: Problems uploading Media

The other weird thing was media and quota didn’t work, and then suddenly did. That made me think liveware was to blame, but I don’t think it is in this case, and if you have access and can replicate, then it’s not that. Do you have full access to the server to try stuff on? That would help a lot if we can avoid having to bounce everything through the forum.

From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney
Sent: 16 July 2013 13:36
To: For Xerte technical developers
Subject: [Xerte-dev] Re: Problems uploading Media

No, I’m stumped. It’s not really my area - thanks for your persistence. Can you prove whether upload.php is being called or not?

-

From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
Sent: 16 July 2013 13:27
To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk>
Subject: [Xerte-dev] Problems uploading Media

Hi,

Decided to take this off the Forum… still not getting anywhere with it though…

So, I’ve patched the upload.php file to write out the $_GET parameter to see what’s being passed from the editor… the thing is that NOTHING is being passed, in fact upload.php doesn’t even look as if it’s being called…

If you go here http://uol-bioset.com/xerte/modules/xerte/engine/upload.php?name=John then it writes to parameters.txt at http://uol-bioset.com/xerte/modules/xerte/engine/parameters.txt

Now with this on my server, after uploading, parameters.txt looks like this:

array (
'path' => 'USER-FILES/2-john-Nottingham/media/',
'BROWSER' => 'safari',
'AUTH' => 'xerte',
'PHPSESSID' => 'odF2q4By53rgwvYyJwcgo0',
)

However, even now that I have access to the server, and can login and upload stuff via the upload button, parameters.txt never changes… even calling http://uol-bioset.com/xerte/modules/xerte/engine/upload.php with no parameters set shout just write an empty array but nothing is written, the upload path looks right (same as mine anyway).

upload.php?path=

Anyone have any ideas?

Regards,

John Smith
Learning Technologist
School of Health & Life Sciences
Glasgow Caledonian University

Glasgow Caledonian University is a registered Scottish charity, number SC021474