[Xerte-dev] Re: SECURITY PATCH for upload.php
Ron Mitchell
ronm at mitchellmedia.co.uk
Wed Mar 13 09:24:51 GMT 2013
Hi John
forgive stating the obvious but did you close all browser windows after
reverting back?
On both my install with static authentication and the techdis xot install
using Moodle authentication uploading .mp4 (and image formats etc) via media
and quota works fine.
But as we know the techdis xot install using moodle authentication and the
latest code doesn't upload via page types.
HTH
Ron
-----Original Message-----
From: xerte-dev-bounces at lists.nottingham.ac.uk
[mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
Sent: 12 March 2013 21:04
To: For Xerte technical developers
Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
Thanks Ron,
I've now reverted my test setup (Xampp) back to R708, before I added the
plugins related code and it's still not working now... the upload.php file
is as it was too, ie no session check and yet it still won't upload anything
above about 4Mb in a page model...
Needs further investigation, but it seems not related to the changes to
upload.php... incidentally the Media and quota section won't allow me to
upload .mp4 files... I thought they would be ok there but I get Invalid file
type...
Regards,
John Smith | Learning Technologist
Room A251, Govan Mbeki Building | School of Health & Life Sciences | Glasgow
Caledonian University Cowcaddens Road | Glasgow | G4 0BA
________________________________________
From: xerte-dev-bounces at lists.nottingham.ac.uk
[xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell
[ronm at mitchellmedia.co.uk]
Sent: 12 March 2013 20:17
To: 'For Xerte technical developers'
Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
Hi John
Alistair reported that it was happening with Chrome and IE. I'm not sure
what browser Simon was using but I tested via IE9 and was able to reproduce.
But...
I'm almost hesitant to mention this...
I'd updated my own install which worked fine so I started thinking about
what the differences are and apart from server differences a key difference
is that the Techdis installs are using Moodle for authentication. I switched
the xot install to guest and still got the problem. I then removed the
integration path via management, logged back in and was able to upload ok. I
then switched back to Moodle authentication and put the integration path
back in and was still able to upload. So intermittent results at the moment
but it does seem like it could be session related. I'm only online until
about 9pm tonight but will test further and again in the morning.
Cheers
Ron
-----Original Message-----
From: xerte-dev-bounces at lists.nottingham.ac.uk
[mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
Sent: 12 March 2013 19:56
To: xerte-dev at lists.nottingham.ac.uk
Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
Hi Ron
Do you know if this is using Firefox or one of the other browsers? I've
tested it using several of the models (albeit on Xampp - not sure what setup
Julian tested it on) in the 3 mainstream browsers and it's been working
fine, except for the erroneous messages which we are still trying to figure
out the best way to catch them in Flash...
I'll patch one in an hour or so and if you could try it out then it might
give us a clue as to whether its the session problem or something else...
Regards
John Smith
Learning Technologist
School of Health and Life Sciences
Sent from Samsung Galaxy SII
Ron Mitchell <ronm at mitchellmedia.co.uk> wrote:
Hi
sorry been quiet for a week or so (on holiday) but back now and updated the
Techdis installations from svn (not sandpit) and Alistair and Simon reported
issues with uploading images. I reverted one installation back and that
worked again but I've left the latest code in the /xot test install which
doesn't work. Basically uploads seem to work ok via media & quota but not
via a graphics and sound page for instance. The image appears to upload and
an upload successful prompt appears but the image doesn't actually upload.
Any ideas?
Ron
From: xerte-dev-bounces at lists.nottingham.ac.uk
[mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney
Sent: 11 March 2013 16:18
To: For Xerte technical developers
Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
There's no more detail: here's a screenshot showing the code and the
relevant events to the left. onComplete means 'successfully uploaded', so
the answer will lie in the upload.php and whether, if uploading fails, it's
reflected back in the Flash stuff.
I've added some alerts for now so you can see what gets tripped, we can take
these out later, and I've commited the wizard with these in ,
listener.onComplete = function(file:FileReference):Void {
Alert.show("Upload successful");
--etc--
}
listener.onHTTPError = function(file:FileReference):Void {
Alert.show("Upload failed: HTTPError");
--etc--
}
listener.onIOError = function(file:FileReference):Void {
Alert.show("Upload failed: IOError");
--etc--
}
listener.onSecurityError = function(file:FileReference,
errorString:String):Void {
Alert.show("Upload failed: Security Error");
--etc--
}
-----Original Message-----
From:
xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nott
ingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of
Smith, John
Sent: 11 March 2013 15:42
To: For Xerte technical developers
Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
Are you using FileReference class? This code snippet suggests you can
extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA with var
strData:String = StringUtil.trim(evt.data);
private function init():void {
fileRef = new FileReference();
fileRef.addEventListener(Event.SELECT, fileRef_select);
fileRef.addEventListener(Event.COMPLETE, fileRef_complete);
fileRef.addEventListener(IOErrorEvent.IO_ERROR,
fileRef_ioError);
fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA,
fileRef_uploadCompleteData);
urlReq = new URLRequest();
urlReq.url = "http://localhost:8300/fileref/uploader.cfm";
}
private function fileRef_uploadCompleteData(evt:DataEvent):void
{
var strData:String = StringUtil.trim(evt.data);
var vars:URLVariables = new URLVariables(strData);
Alert.show(vars.fileName, "fileName");
}
Regards,
John Smith
Learning Technologist
School of Health & Life Sciences
Glasgow Caledonian University
-----Original Message-----
From:
xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nott
ingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of
Smith, John
Sent: Monday, March 11, 2013 3:19 PM
To: For Xerte technical developers
Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
Yeah it should because the upload page completes... you could try sticking a
number in the exit function for the blacklist and see if you can get the
number, exit(5); for example...
At least the session bit seems to work... I've taken out all the whitelist
code and mimetype stuff just now but I have another upload file I'm working
on which attempts to detect the mimetype using several techniques contained
in drupal and wordpress modules - will let you know if it pans out...
Regards,
John Smith
Learning Technologist
School of Health & Life Sciences
Glasgow Caledonian University
-----Original Message-----
From:
xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nott
ingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of
Julian Tenney
Sent: Monday, March 11, 2013 2:32 PM
To: For Xerte technical developers
Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
If I try and upload php files, onComplete still fires...
-----Original Message-----
From:
xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nott
ingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of
Julian Tenney
Sent: 11 March 2013 14:27
To: For Xerte technical developers
Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
Hold on, I'll see if I can get the events to trip,
-----Original Message-----
From:
xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nott
ingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of
Smith, John
Sent: 11 March 2013 14:20
To: For Xerte technical developers
Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
Yeah, it's the Flash end... didn't seem to be doing anything no matter the
content of the php PRINT statements so I just removed them for brevity...
They were all in English anyway...
Regards,
John Smith
Learning Technologist
School of Health & Life Sciences
Glasgow Caledonian University
-----Original Message-----
From:
xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nott
ingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of
Smith, John
Sent: Monday, March 11, 2013 1:57 PM
To: For Xerte technical developers
Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
No way to receive whether the upload was successful or not?
Regards,
John Smith
Learning Technologist
School of Health & Life Sciences
Glasgow Caledonian University
-----Original Message-----
From:
xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nott
ingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of
Julian Tenney
Sent: Monday, March 11, 2013 1:48 PM
To: For Xerte technical developers
Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
I'm not sure you can do much with that class, it's just a black box.
-----Original Message-----
From:
xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nott
ingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of
Smith, John
Sent: 11 March 2013 13:33
To: For Xerte technical developers
Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
Perhaps it should just feedback error codes, and the flash class translates
them...
Regards,
John Smith
Learning Technologist
School of Health & Life Sciences
Glasgow Caledonian University
-----Original Message-----
From:
xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nott
ingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of
Julian Tenney
Sent: Monday, March 11, 2013 1:21 PM
To: For Xerte technical developers
Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
NO, I forget the details but there is a flash player class that does the
upload thing. I'll give it a whirl.
-----Original Message-----
From:
xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nott
ingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of
Smith, John
Sent: 11 March 2013 12:45
To: For Xerte technical developers
Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
Hi Julian, give that a try... Does the flash editor do anything with the
returned/echoed text? I've taken them out because they didn't seem to be
doing anything in the Flash end and they could give hints to a hacker as to
why their attempt was quashed...
Glasgow Caledonian University is a registered Scottish charity, number
SC021474
Winner: Times Higher Education's Widening Participation Initiative of the
Year 2009 and Herald Society's Education Initiative of the Year 2009.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en
.html
Winner: Times Higher Education's Outstanding Support for Early Career
Researchers of the Year 2010, GCU as a lead with Universities Scotland
partners.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,e
n.html
_______________________________________________
Xerte-dev mailing list
Xerte-dev at lists.nottingham.ac.uk
http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
_______________________________________________
Xerte-dev mailing list
Xerte-dev at lists.nottingham.ac.uk
http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
Glasgow Caledonian University is a registered Scottish charity, number
SC021474
Winner: Times Higher Education's Widening Participation Initiative of the
Year 2009 and Herald Society's Education Initiative of the Year 2009.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en
.html
Winner: Times Higher Education's Outstanding Support for Early Career
Researchers of the Year 2010, GCU as a lead with Universities Scotland
partners.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,e
n.html
_______________________________________________
Xerte-dev mailing list
Xerte-dev at lists.nottingham.ac.uk
http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
This message and any attachment are intended solely for the addressee and
may contain confidential information. If you have received this message in
error, please send it back to me, and immediately delete it. Please do not
use, copy or disclose the information contained in this message or in any
attachment. Any views or opinions expressed by the author of this email do
not necessarily reflect the views of the University of Nottingham.
This message has been checked for viruses but the contents of an attachment
may still contain software viruses which could damage your computer system:
you are advised to perform your own checks. Email communications with the
University of Nottingham may be monitored as permitted by UK legislation.
More information about the Xerte-dev
mailing list