#10306 closed enhancement (fixed)
dojox.form.FileUploader (flash) doesnt work with some server configuration
| Reported by: | minobun | Owned by: | dante |
|---|---|---|---|
| Priority: | high | Milestone: | 1.4 |
| Component: | DojoX Form | Version: | 1.4.0b |
| Keywords: | flash, uploader, htaccess, documentation, security | Cc: | |
| Blocked By: | Blocking: |
Description
On some servers the flash upload fails with http status 403. I dont know the right reason for this. My provider wispered me that the only solution this time is a .htaccess file with the enty:
<IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule>
And yes this works. So maybe this should be described at:
http://docs.dojocampus.org/dojox/form/FileUploader
Change History (4)
comment:1 Changed 12 years ago by
| Milestone: | tbd → 1.4 |
|---|---|
| Resolution: | → fixed |
| Status: | new → closed |
| Version: | 1.3.2 → 1.4.0b |
comment:2 Changed 12 years ago by
This is not only a https issue. It's also on simple http connections. Ist a bug of adobe flash player in conjunction with the web application firewall (modsecurity). If i understand that correctly the flash player sends one "\n\r" instead but the http protocol requires "\n\r\n\r". For modsecutiry this is a rule break so it delivers 403 rejected.
And yes if you disable modsecurity sql injections can be done on all post vars that are later processed by the database an not escaped within the application. So another safer way - until adobe fixed this problem and all flash players are updated - is the following but may not work on all servers:
<IfModule mod_security.c> SetEnvIfNoCase Content-Type "^multipart/form-data;" "MODSEC_NOPOSTBUFFERING=Do not buffer file uploads" </IfModule>
The docs have been updated. Thanks for bringing it t0 my attention and offering a fix (they are hard to come by in this case).
You should check out the docs though. I have a link to a page that says that this may be susceptible to SQL injection attacks.