[Xerte-dev] Re: Problems uploading Media
Ron Mitchell
ronm at mitchellmedia.co.uk
Wed Jul 17 09:27:14 BST 2013
Sorry I've not been contributing lately - still busy with all sort of other stuff but just skim reading this and may be wrong but is the reference to mod_sec related to the Apache mod_security module? I've hit promlems with that in the past (mostly Moodle) where you have to add exceptions to the mod_security rules to allow the requests being blocked.
HTH
Ron
-----Original Message-----
From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
Sent: 17 July 2013 09:05
To: xerte-dev at lists.nottingham.ac.uk
Subject: [Xerte-dev] Re: Problems uploading Media
Wizard -> Upload.php uses files array too, multipart-formdata so think that bit is ok... Its only the cookie passing that is different? No?
I was wondering though if its the fact that we pickup the session token and pass it back to upload in the querystring that is being flagged. But I've seen many a site doing that...
Regards
John Smith
Learning Technologist
School of Health and Life Sciences
Sent from Samsung Galaxy SII
"Pat @ Pgogy" <xerte at pgogywebstuff.com> wrote:
Sorry for not being more on this
Media and quote uses the file array in php, which might explain this.
XML is just a string
I suspect different policies on both hence security firing off.
If still an issue try print_r files,post,get and request
See if they behave differently?
On 16 Jul 2013, at 15:48, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote:
I need more than a pint!!
I’m glad we’ve proved though that it’s not Xerte. Why Media & Quota tab is able to do a post though is strange and XML to save.php
Regards,
John Smith
Learning Technologist
School of Health & Life Sciences
Glasgow Caledonian University
From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney
Sent: Tuesday, July 16, 2013 3:44 PM
To: For Xerte technical developers
Subject: [Xerte-dev] Re: Problems uploading Media
That’s great work there, thanks a lot. Hoist yourself a pint o’ heavy on me.
From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
Sent: 16 July 2013 14:55
To: For Xerte technical developers
Subject: [Xerte-dev] Re: Problems uploading Media
And now I’ve run the bioset server through a request method scanner and it reports the same… POST methods are being filtered through /mod_sec.html
Filtered Request Methods (Not 200 OR 405)
POST
POST / HTTP/1.0
Host: uol-bioset.com<http://uol-bioset.com>
Accept-Encoding: deflate, gzip
Accept: */*
Referer: http://www.askapache.com/online-tools/request-method-scanner/
HTTP/1.1 302 Found
Date: Tue, 16 Jul 2013 13:50:07 GMT
Server: Apache
Location: /mod_sec.html
Content-Length: 197
Connection: close
Content-Type: text/html; charset=iso-8859-1
Regards,
John Smith
Learning Technologist
School of Health & Life Sciences
Glasgow Caledonian University
From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
Sent: Tuesday, July 16, 2013 2:47 PM
To: For Xerte technical developers
Subject: [Xerte-dev] Re: Problems uploading Media
Ah didn’t read as far as I should have… 302 also returns a redirection URL, which in this case is /mod_sec.html
<image001.jpg>
http://www.askapache.com/htaccess/modsecurity-htaccess-tricks.html
1. Request URL:
http://uol-bioset.com/xerte/modules/xerte/engine/upload.php?path=USER-FILES/15-jjs-Nottingham/media/&BROWSER=safari&AUTH=xerte&PHPSESSID=9c0a954bc3d99c4eabff83204628g53u
2. Request Method:
POST
3. Status Code:
302 Found
4. Request Headersview source
1. Accept:
*/*
2. Accept-Encoding:
gzip,deflate,sdch
3. Accept-Language:
en-US,en;q=0.8
4. Connection:
keep-alive
5. Content-Length:
595710
6. Content-Type:
multipart/form-data; boundary=----------KM7Ef1KM7Ij5Ef1ae0Ef1Ef1gL6GI3
7. Cookie:
PHPSESSID=9c0a954bc3d99c4eabff83204628g53u
8. Host:
uol-bioset.com<http://uol-bioset.com>
9. Origin:
http://uol-bioset.com
10. Referer:
http://uol-bioset.com/xerte/edit.php?template_id=15
11. User-Agent:
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36
5. Query String Parametersview sourceview URL encoded
1. path:
USER-FILES/15-jjs-Nottingham/media/
2. BROWSER:
safari
3. AUTH:
xerte
4. PHPSESSID:
9c0a954bc3d99c4eabff8324ba411514
6. Request Payload
1. ------------KM7Ef1KM7Ij5Ef1ae0Ef1Ef1gL6GI3 Content-Disposition: form-data; name="Filename" Hydrangeas.jpg ------------KM7Ef1KM7Ij5Ef1ae0Ef1Ef1gL6GI3 Content-Disposition: form-data; name="Filedata"; filename="Hydrangeas.jpg" Content-Type: application/octet-stream ------------KM7Ef1KM7Ij5Ef1ae0Ef1Ef1gL6GI3 Content-Disposition: form-data; name="Upload" Submit Query ------------KM7Ef1KM7Ij5Ef1ae0Ef1Ef1gL6GI3--
7. Response Headersview source
1. Connection:
Keep-Alive
2. Content-Length:
197
3. Content-Type:
text/html; charset=iso-8859-1
4. Date:
Tue, 16 Jul 2013 13:14:18 GMT
5. Keep-Alive:
timeout=5, max=100
6. Location:
/mod_sec.html
7. Server:
Apache
Regards,
John Smith
Learning Technologist
School of Health & Life Sciences
Glasgow Caledonian University
From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
Sent: Tuesday, July 16, 2013 2:39 PM
To: For Xerte technical developers
Subject: [Xerte-dev] Re: Problems uploading Media
And so the plot thickens…
On uploading some media on the bioset server and monitoring the network traffic in Chrome Dev Tools, you get this:
<image002.png>
Notice the ‘302 – Found’ code. Now I wasn’t sure if that was right or not. 302-Found usually means “Yes the file is here so please submit again!!”. So I tried on my server and get this:
<image003.png>
So what I expected, a 200 OK code… The thing is, if I copy the bioset url that received the 302 code, …upload.php?path=USER-FILES/15-jjs-Nottingham/media/&BROWSER=safari&AUTH=xerte&PHPSESSID=sessid_removed
Then YES, It does update the parameters.txt file so upload.php is being executed on the GET request but not on a POST request…
Anyone know what could cause that on a Linux server?? I definitely think that this is a server issue and not the code but why??
Regards,
John Smith
Learning Technologist
School of Health & Life Sciences
Glasgow Caledonian University
From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
Sent: Tuesday, July 16, 2013 1:48 PM
To: For Xerte technical developers
Subject: [Xerte-dev] Re: Problems uploading Media
I have full access as user and admin…
Not to the filesystem…
But as far as I can ascertain, upload.php is never being called. The very first line is now:
file_put_contents('parameters.txt', var_export($_GET, true), true);
and when you try to upload the media it says successful but the parameters.txt file hasn’t changed… at first I thought we had changed /modules/xerte/engine/upload.php and the site one was being called but that doesn’t appear to be the case either…
Regards,
John Smith
Learning Technologist
School of Health & Life Sciences
Glasgow Caledonian University
From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney
Sent: Tuesday, July 16, 2013 1:39 PM
To: For Xerte technical developers
Subject: [Xerte-dev] Re: Problems uploading Media
The other weird thing was media and quota didn’t work, and then suddenly did. That made me think liveware was to blame, but I don’t think it is in this case, and if you have access and can replicate, then it’s not that. Do you have full access to the server to try stuff on? That would help a lot if we can avoid having to bounce everything through the forum.
From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney
Sent: 16 July 2013 13:36
To: For Xerte technical developers
Subject: [Xerte-dev] Re: Problems uploading Media
No, I’m stumped. It’s not really my area - thanks for your persistence. Can you prove whether upload.php is being called or not?
-
From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
Sent: 16 July 2013 13:27
To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk>
Subject: [Xerte-dev] Problems uploading Media
Hi,
Decided to take this off the Forum… still not getting anywhere with it though…
So, I’ve patched the upload.php file to write out the $_GET parameter to see what’s being passed from the editor… the thing is that NOTHING is being passed, in fact upload.php doesn’t even look as if it’s being called…
If you go here http://uol-bioset.com/xerte/modules/xerte/engine/upload.php?name=John then it writes to parameters.txt at http://uol-bioset.com/xerte/modules/xerte/engine/parameters.txt
Now with this on my server, after uploading, parameters.txt looks like this:
array (
'path' => 'USER-FILES/2-john-Nottingham/media/',
'BROWSER' => 'safari',
'AUTH' => 'xerte',
'PHPSESSID' => 'odF2q4By53rgwvYyJwcgo0',
)
However, even now that I have access to the server, and can login and upload stuff via the upload button, parameters.txt never changes… even calling http://uol-bioset.com/xerte/modules/xerte/engine/upload.php with no parameters set shout just write an empty array but nothing is written, the upload path looks right (same as mine anyway).
upload.php?path=
Anyone have any ideas?
Regards,
John Smith
Learning Technologist
School of Health & Life Sciences
Glasgow Caledonian University
Glasgow Caledonian University is a registered Scottish charity, number SC021474
Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham.
This message has been checked for viruses but the contents of an attachment may still contain software viruses which could damage your computer system, you are advised to perform your own checks. Email communications with the University of Nottingham may be monitored as permitted by UK legislation.
Glasgow Caledonian University is a registered Scottish charity, number SC021474
Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham.
This message has been checked for viruses but the contents of an attachment may still contain software viruses which could damage your computer system, you are advised to perform your own checks. Email communications with the University of Nottingham may be monitored as permitted by UK legislation.
Glasgow Caledonian University is a registered Scottish charity, number SC021474
Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
Glasgow Caledonian University is a registered Scottish charity, number SC021474
Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
Glasgow Caledonian University is a registered Scottish charity, number SC021474
Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
Glasgow Caledonian University is a registered Scottish charity, number SC021474
Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
_______________________________________________
Xerte-dev mailing list
Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk>
http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham.
This message has been checked for viruses but the contents of an attachment may still contain software viruses which could damage your computer system, you are advised to perform your own checks. Email communications with the University of Nottingham may be monitored as permitted by UK legislation.
Glasgow Caledonian University is a registered Scottish charity, number SC021474
Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
_______________________________________________
Xerte-dev mailing list
Xerte-dev at lists.nottingham.ac.uk
http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
More information about the Xerte-dev
mailing list