[Xerte-dev] Re: Problems uploading Media
Smith, John
J.J.Smith at gcu.ac.uk
Tue Jul 16 14:55:14 BST 2013
And now I've run the bioset server through a request method scanner and it reports the same... POST methods are being filtered through /mod_sec.html
Filtered Request Methods (Not 200 OR 405)
POST
POST / HTTP/1.0
Host: uol-bioset.com
Accept-Encoding: deflate, gzip
Accept: */*
Referer: http://www.askapache.com/online-tools/request-method-scanner/
HTTP/1.1 302 Found
Date: Tue, 16 Jul 2013 13:50:07 GMT
Server: Apache
Location: /mod_sec.html
Content-Length: 197
Connection: close
Content-Type: text/html; charset=iso-8859-1
Regards,
John Smith
Learning Technologist
School of Health & Life Sciences
Glasgow Caledonian University
From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
Sent: Tuesday, July 16, 2013 2:47 PM
To: For Xerte technical developers
Subject: [Xerte-dev] Re: Problems uploading Media
Ah didn't read as far as I should have... 302 also returns a redirection URL, which in this case is /mod_sec.html
[cid:image003.jpg at 01CE8234.7A8B68B0]
http://www.askapache.com/htaccess/modsecurity-htaccess-tricks.html
1. Request URL:
http://uol-bioset.com/xerte/modules/xerte/engine/upload.php?path=USER-FILES/15-jjs-Nottingham/media/&BROWSER=safari&AUTH=xerte&PHPSESSID=9c0a954bc3d99c4eabff83204628g53u
2. Request Method:
POST
3. Status Code:
302 Found
4. Request Headersview source
1. Accept:
*/*
2. Accept-Encoding:
gzip,deflate,sdch
3. Accept-Language:
en-US,en;q=0.8
4. Connection:
keep-alive
5. Content-Length:
595710
6. Content-Type:
multipart/form-data; boundary=----------KM7Ef1KM7Ij5Ef1ae0Ef1Ef1gL6GI3
7. Cookie:
PHPSESSID=9c0a954bc3d99c4eabff83204628g53u
8. Host:
uol-bioset.com
9. Origin:
http://uol-bioset.com
10. Referer:
http://uol-bioset.com/xerte/edit.php?template_id=15
11. User-Agent:
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36
5. Query String Parametersview sourceview URL encoded
1. path:
USER-FILES/15-jjs-Nottingham/media/
2. BROWSER:
safari
3. AUTH:
xerte
4. PHPSESSID:
9c0a954bc3d99c4eabff8324ba411514
6. Request Payload
1. ------------KM7Ef1KM7Ij5Ef1ae0Ef1Ef1gL6GI3 Content-Disposition: form-data; name="Filename" Hydrangeas.jpg ------------KM7Ef1KM7Ij5Ef1ae0Ef1Ef1gL6GI3 Content-Disposition: form-data; name="Filedata"; filename="Hydrangeas.jpg" Content-Type: application/octet-stream ------------KM7Ef1KM7Ij5Ef1ae0Ef1Ef1gL6GI3 Content-Disposition: form-data; name="Upload" Submit Query ------------KM7Ef1KM7Ij5Ef1ae0Ef1Ef1gL6GI3--
7. Response Headersview source
1. Connection:
Keep-Alive
2. Content-Length:
197
3. Content-Type:
text/html; charset=iso-8859-1
4. Date:
Tue, 16 Jul 2013 13:14:18 GMT
5. Keep-Alive:
timeout=5, max=100
6. Location:
/mod_sec.html
7. Server:
Apache
Regards,
John Smith
Learning Technologist
School of Health & Life Sciences
Glasgow Caledonian University
From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
Sent: Tuesday, July 16, 2013 2:39 PM
To: For Xerte technical developers
Subject: [Xerte-dev] Re: Problems uploading Media
And so the plot thickens...
On uploading some media on the bioset server and monitoring the network traffic in Chrome Dev Tools, you get this:
[cid:image004.png at 01CE8234.7A8B68B0]
Notice the '302 - Found' code. Now I wasn't sure if that was right or not. 302-Found usually means "Yes the file is here so please submit again!!". So I tried on my server and get this:
[cid:image005.png at 01CE8234.7A8B68B0]
So what I expected, a 200 OK code... The thing is, if I copy the bioset url that received the 302 code, ...upload.php?path=USER-FILES/15-jjs-Nottingham/media/&BROWSER=safari&AUTH=xerte&PHPSESSID=sessid_removed
Then YES, It does update the parameters.txt file so upload.php is being executed on the GET request but not on a POST request...
Anyone know what could cause that on a Linux server?? I definitely think that this is a server issue and not the code but why??
Regards,
John Smith
Learning Technologist
School of Health & Life Sciences
Glasgow Caledonian University
From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
Sent: Tuesday, July 16, 2013 1:48 PM
To: For Xerte technical developers
Subject: [Xerte-dev] Re: Problems uploading Media
I have full access as user and admin...
Not to the filesystem...
But as far as I can ascertain, upload.php is never being called. The very first line is now:
file_put_contents('parameters.txt', var_export($_GET, true), true);
and when you try to upload the media it says successful but the parameters.txt file hasn't changed... at first I thought we had changed /modules/xerte/engine/upload.php and the site one was being called but that doesn't appear to be the case either...
Regards,
John Smith
Learning Technologist
School of Health & Life Sciences
Glasgow Caledonian University
From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney
Sent: Tuesday, July 16, 2013 1:39 PM
To: For Xerte technical developers
Subject: [Xerte-dev] Re: Problems uploading Media
The other weird thing was media and quota didn't work, and then suddenly did. That made me think liveware was to blame, but I don't think it is in this case, and if you have access and can replicate, then it's not that. Do you have full access to the server to try stuff on? That would help a lot if we can avoid having to bounce everything through the forum.
From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney
Sent: 16 July 2013 13:36
To: For Xerte technical developers
Subject: [Xerte-dev] Re: Problems uploading Media
No, I'm stumped. It's not really my area - thanks for your persistence. Can you prove whether upload.php is being called or not?
-
From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
Sent: 16 July 2013 13:27
To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk>
Subject: [Xerte-dev] Problems uploading Media
Hi,
Decided to take this off the Forum... still not getting anywhere with it though...
So, I've patched the upload.php file to write out the $_GET parameter to see what's being passed from the editor... the thing is that NOTHING is being passed, in fact upload.php doesn't even look as if it's being called...
If you go here http://uol-bioset.com/xerte/modules/xerte/engine/upload.php?name=John then it writes to parameters.txt at http://uol-bioset.com/xerte/modules/xerte/engine/parameters.txt
Now with this on my server, after uploading, parameters.txt looks like this:
array (
'path' => 'USER-FILES/2-john-Nottingham/media/',
'BROWSER' => 'safari',
'AUTH' => 'xerte',
'PHPSESSID' => 'odF2q4By53rgwvYyJwcgo0',
)
However, even now that I have access to the server, and can login and upload stuff via the upload button, parameters.txt never changes... even calling http://uol-bioset.com/xerte/modules/xerte/engine/upload.php with no parameters set shout just write an empty array but nothing is written, the upload path looks right (same as mine anyway).
upload.php?path=
Anyone have any ideas?
Regards,
John Smith
Learning Technologist
School of Health & Life Sciences
Glasgow Caledonian University
Glasgow Caledonian University is a registered Scottish charity, number SC021474
Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham.
This message has been checked for viruses but the contents of an attachment may still contain software viruses which could damage your computer system, you are advised to perform your own checks. Email communications with the University of Nottingham may be monitored as permitted by UK legislation.
Glasgow Caledonian University is a registered Scottish charity, number SC021474
Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham.
This message has been checked for viruses but the contents of an attachment may still contain software viruses which could damage your computer system, you are advised to perform your own checks. Email communications with the University of Nottingham may be monitored as permitted by UK legislation.
Glasgow Caledonian University is a registered Scottish charity, number SC021474
Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
Glasgow Caledonian University is a registered Scottish charity, number SC021474
Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
Glasgow Caledonian University is a registered Scottish charity, number SC021474
Winner: Times Higher Education's Widening Participation Initiative of the Year 2009 and Herald Society's Education Initiative of the Year 2009.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
Winner: Times Higher Education's Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130716/32eb47d7/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 8968 bytes
Desc: image003.jpg
URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130716/32eb47d7/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image004.png
Type: image/png
Size: 9852 bytes
Desc: image004.png
URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130716/32eb47d7/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image005.png
Type: image/png
Size: 9601 bytes
Desc: image005.png
URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130716/32eb47d7/attachment-0003.png>
More information about the Xerte-dev
mailing list