[Xerte-dev] Re: SECURITY PATCH for upload.php

Smith, John J.J.Smith at gcu.ac.uk
Tue Mar 12 19:56:02 GMT 2013


Hi Ron

Do you know if this is using Firefox or one of the other browsers? I've tested it using several of the models (albeit on Xampp - not sure what setup Julian tested it on) in the 3 mainstream browsers and it's been working fine, except for the erroneous messages which we are still trying to figure out the best way to catch them in Flash...

I'll patch one in an hour or so and if you could try it out then it might give us a clue as to whether its the session problem or something else...

Regards

John Smith
Learning Technologist
School of Health and Life Sciences

Sent from Samsung Galaxy SII



Ron Mitchell <ronm at mitchellmedia.co.uk> wrote:


Hi
sorry been quiet for a week or so (on holiday) but back now and updated the Techdis installations from svn (not sandpit) and Alistair and Simon reported issues with uploading images. I reverted one installation back and that worked again but I've left the latest code in the /xot test install which doesn't work. Basically uploads seem to work ok via media & quota but not via a graphics and sound page for instance. The image appears to upload and an upload successful prompt appears but the image doesn't actually upload. Any ideas?
Ron

From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney
Sent: 11 March 2013 16:18
To: For Xerte technical developers
Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php


There's no more detail: here's a screenshot showing the code and the relevant events to the left. onComplete means 'successfully uploaded', so the answer will lie in the upload.php and whether, if uploading fails, it's reflected back in the Flash stuff.



I've added some alerts for now so you can see what gets tripped, we can take these out later, and I’ve commited the wizard with these in ,



listener.onComplete = function(file:FileReference):Void  {



      Alert.show("Upload successful");



      --etc--



}





listener.onHTTPError = function(file:FileReference):Void  {



      Alert.show("Upload failed: HTTPError");



      --etc--



}



listener.onIOError = function(file:FileReference):Void  {



      Alert.show("Upload failed: IOError");



      --etc--



}

listener.onSecurityError = function(file:FileReference, errorString:String):Void  {



      Alert.show("Upload failed: Security Error");



      --etc--



}



-----Original Message-----
From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
Sent: 11 March 2013 15:42
To: For Xerte technical developers
Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php



Are you using FileReference class? This code snippet suggests you can extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA with var strData:String = StringUtil.trim(evt.data);







private function init():void {

                fileRef = new FileReference();

                fileRef.addEventListener(Event.SELECT, fileRef_select);

                fileRef.addEventListener(Event.COMPLETE, fileRef_complete);

                fileRef.addEventListener(IOErrorEvent.IO_ERROR, fileRef_ioError);

                fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA, fileRef_uploadCompleteData);



                urlReq = new URLRequest();

                urlReq.url = "http://localhost:8300/fileref/uploader.cfm";

            }



            private function fileRef_uploadCompleteData(evt:DataEvent):void {

                var strData:String = StringUtil.trim(evt.data);

                var vars:URLVariables = new URLVariables(strData);

                Alert.show(vars.fileName, "fileName");

            }





Regards,



John Smith

Learning Technologist

School of Health & Life Sciences

Glasgow Caledonian University





-----Original Message-----

From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John

Sent: Monday, March 11, 2013 3:19 PM

To: For Xerte technical developers

Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php



Yeah it should because the upload page completes... you could try sticking a number in the exit function for the blacklist and see if you can get the number, exit(5); for example...



At least the session bit seems to work... I've taken out all the whitelist code and mimetype stuff just now but I have another upload file I'm working on which attempts to detect the mimetype using several techniques contained in drupal and wordpress modules - will let you know if it pans out...



Regards,



John Smith

Learning Technologist

School of Health & Life Sciences

Glasgow Caledonian University





-----Original Message-----

From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney

Sent: Monday, March 11, 2013 2:32 PM

To: For Xerte technical developers

Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php



If I try and upload php files, onComplete still fires...



-----Original Message-----

From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney

Sent: 11 March 2013 14:27

To: For Xerte technical developers

Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php



Hold on, I'll see if I can get the events to trip,



-----Original Message-----

From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John

Sent: 11 March 2013 14:20

To: For Xerte technical developers

Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php



Yeah, it’s the Flash end... didn't seem to be doing anything no matter the content of the php PRINT statements so I just removed them for brevity... They were all in English anyway...



Regards,



John Smith

Learning Technologist

School of Health & Life Sciences

Glasgow Caledonian University





-----Original Message-----

From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John

Sent: Monday, March 11, 2013 1:57 PM

To: For Xerte technical developers

Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php



No way to receive whether the upload was successful or not?



Regards,



John Smith

Learning Technologist

School of Health & Life Sciences

Glasgow Caledonian University





-----Original Message-----

From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney

Sent: Monday, March 11, 2013 1:48 PM

To: For Xerte technical developers

Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php



I'm not sure you can do much with that class, it's just a black box.



-----Original Message-----

From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John

Sent: 11 March 2013 13:33

To: For Xerte technical developers

Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php



Perhaps it should just feedback error codes, and the flash class translates them...



Regards,



John Smith

Learning Technologist

School of Health & Life Sciences

Glasgow Caledonian University





-----Original Message-----

From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney

Sent: Monday, March 11, 2013 1:21 PM

To: For Xerte technical developers

Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php



NO, I forget the details but there is a flash player class that does the upload thing. I'll give it a whirl.



-----Original Message-----

From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John

Sent: 11 March 2013 12:45

To: For Xerte technical developers

Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php



Hi Julian, give that a try... Does the flash editor do anything with the returned/echoed  text? I've taken them out because they didn't seem to be doing anything in the Flash end and they could give hints to a hacker as to why their attempt was quashed...













Glasgow Caledonian University is a registered Scottish charity, number SC021474

Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html

Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html


More information about the Xerte-dev mailing list