Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#10306 closed enhancement (fixed)

dojox.form.FileUploader (flash) doesnt work with some server configuration

Reported by: minobun Owned by: dante
Priority: high Milestone: 1.4
Component: DojoX Form Version: 1.4.0b
Keywords: flash, uploader, htaccess, documentation, security Cc:
Blocked By: Blocking:

Description

On some servers the flash upload fails with http status 403. I dont know the right reason for this. My provider wispered me that the only solution this time is a .htaccess file with the enty:

<IfModule mod_security.c>
  SecFilterEngine Off
  SecFilterScanPOST Off
</IfModule>

And yes this works. So maybe this should be described at:
http://docs.dojocampus.org/dojox/form/FileUploader

Change History (4)

comment:1 Changed 10 years ago by Mike Wilcox

Milestone: tbd1.4
Resolution: fixed
Status: newclosed
Version: 1.3.21.4.0b

The docs have been updated. Thanks for bringing it t0 my attention and offering a fix (they are hard to come by in this case).

You should check out the docs though. I have a link to a page that says that this may be susceptible to SQL injection attacks.

comment:2 Changed 10 years ago by minobun

This is not only a https issue. It's also on simple http connections. Ist a bug of adobe flash player in conjunction with the web application firewall (modsecurity). If i understand that correctly the flash player sends one "\n\r" instead but the http protocol requires "\n\r\n\r". For modsecutiry this is a rule break so it delivers 403 rejected.

And yes if you disable modsecurity sql injections can be done on all post vars that are later processed by the database an not escaped within the application. So another safer way - until adobe fixed this problem and all flash players are updated - is the following but may not work on all servers:

<IfModule mod_security.c>
SetEnvIfNoCase Content-Type "^multipart/form-data;" "MODSEC_NOPOSTBUFFERING=Do not buffer file uploads"
</IfModule>

comment:3 Changed 10 years ago by Mike Wilcox

Thanks for all the info minobun. I've updated the docs again.

Note: See TracTickets for help on using tickets.