Uploading files fails

[exmethix]

Hello everybody,

First let me thank you very much for this great simple CMS! I just love it.

Anyway i have a problem:

(using latest 1.71)

When i try to upload a file nothing happens. It does not appear in the files section.
The backend gives me a link, but this does end in an internal Server Error.

I found this in the logs:

Code:

[Thu Nov 12 14:58:25 2009] [alert] [client 87.143.154.238] /var/kunden/webs/webname/data/.htaccess: order not allowed here

[Thu Nov 12 14:59:13 2009] [alert] [client 87.143.154.238] /var/kunden/webs/webname/data/uploads/.htaccess: allow not allowed here

Here my .htaccess files:

data/.htaccess:

Code:

Deny from all

data/uploads/.htaccess:

Code:

Allow from all

<Files *.xls>
ForceType applicaton/octet-stream
</Files>

<Files *.csv>
ForceType applicaton/octet-stream
</Files>

For sure, i tried changing to Allow, fileendings and so on... but same problem.

Do you have any suggestions about that?
I mean it is a default install (shouldn't that work?)

Could it have something to to with OpenBasedir or PHP Safemode (both enabled)?

[ccagle8]

It could.... but i know that I don't have the upload error on any of my installs.

[GetSimple.RU]

I can't upload any image too
I can browse for file but there is no SUBMIT button below BROWSE form
Using latest 1.71

[andyso66]

and I am the next one who can't upload images with 1.71.

PHP 5.2.0-8+etch10, Apache 2.2.0

[Zegnåt]

I already contacted Chris about this before (Email sent: Nov 7, 2009 8:00 AM).
It seems to again be a problem with certain servers only. Could everyone post back with what server environment they are using?

I'm running WampServer Version 2.0
Apache 2.2.11
PHP 5.2.8

Don't seem to have upload problems with GS 1.7

[exmethix]

I am using up-to-date Debian Etch.

Apache 2.2.3-4+etch10
PHP 5.2.0+dfsg-8+etch15
MySQL 5.0.32-7etch11

[ccagle8]

@GetSimple.RU - there is no submit button - it uploads successfully, and by the looks of the screenshot - it loaded just fine

@Everyone else - 1.71 upload problems were caused by the "fix" that i put in place to stop an Uploadify ajax vulnerability. I basically put in code so that that the back-end ajax file couldn't be called directly. Look at the top of inc/upload-ajax.php to see what I mean. If anyone has a better idea I would be more than happy to implement it.

[Zegnåt]

If anyone has a better idea I would be more than happy to implement it.

Wouldn't it be possible to check whether the user has an authenticated admin session? That way external calls to the AJAX would be blocked as those people are not logged in to GetSimple when using it.

Haven't looked into administrator session on the GetSimple source yet, if I find time this week I will. I think that will solve everything as every server would support it (otherwise you wouldn't be logged in to the administration interface in the first place).

[exmethix]

I vote for something like this!

Okay i mean non working upload function is not that bad (can upload and set myself) but if it would be fixed in a future release i would be happy about that!

[ccagle8]

I did try that originally but i had problems with absolute/relative paths.

I need to find out how to use DEFINE() to set a global variable that always gives me the same (and correct path). If you look thru a lot of the code, I am constantly doing things like '../../data' -- always trying to keep things with a relative path. This works if you always use the file the same way, but as soon as you try to include one script into another script in a different folder, the '../../' (relative paths) no longer point to the correct place. uugghh

I have no idea if that makes sense to anyone... hopefully it does and then someone can point me to the right direction I need to go...

[GetSimple.RU]

@GetSimple.RU - there is no submit button - it uploads successfully, and by the looks of the screenshot - it loaded just fine

It shows but there is no uploaded file

[Zegnåt]

I have no idea if that makes sense to anyone... hopefully it does and then someone can point me to the right direction I need to go...

The problem made sense to me, don't know how much help that is as I am a front-end developer and can't say how you could go with the DEFINE().

I'll be taking a look into this myself for a bit. Might I actually figure out something I'll be sure to report back.

[Pogodo]

@GetSimple.RU - there is no submit button - it uploads successfully, and by the looks of the screenshot - it loaded just fine

It shows but there is no uploaded file

I confirm this problem. Upload does not work with my Firefox (3.0.15 Ubuntu) but it works when I disable Flash, or with a browser without Flash. So there must be a problem with uploadify.
My suggestion would be to remove this script, to get GetSimple simpler (-;

[Zegnåt]

But it works when I disable Flash, or with a browser without Flash. So there must be a problem with uploadify.

The problem is probably still the same, I guess this fallback method does not use AJAX?

[Pogodo]

Yes, AJAX is not simple at all, and I would expect GetSimple to get simple not only for users but also for developers... and also to simply work in all browsers! (I've just discovered IE6 is not supported, I don't use IE, but I suppose some people do.)

[PRAG]

First, GetSimple is really very attractive and smart CMS. I want to congratulate and thank its creator! It was perfect for one of my projects - www.mamula.co.cc

Second, unfortunately I have exactly the same problem with file uplouds and therefore strongly hope that this problem can be overcome.

GetSimple is COOL and SMART! Good luck!

[Head]

I did try that originally but i had problems with absolute/relative paths.

I need to find out how to use DEFINE() to set a global variable that always gives me the same (and correct path). If you look thru a lot of the code, I am constantly doing things like '../../data' -- always trying to keep things with a relative path. This works if you always use the file the same way, but as soon as you try to include one script into another script in a different folder, the '../../' (relative paths) no longer point to the correct place. uugghh

I have no idea if that makes sense to anyone... hopefully it does and then someone can point me to the right direction I need to go...

hi!

i think this an architecture problem... try to find out the depth or your current path from document root (works under windows as well):

Code:

function getDepth() {
    $doc_root = substr($_SERVER['DOCUMENT_ROOT'], -1) == DIRECTORY_SEPARATOR ? substr($_SERVER['DOCUMENT_ROOT'], 0, -1) : $_SERVER['DOCUMENT_ROOT'];
    if ($current != $doc_root) {
        $depth = count(explode(DIRECTORY_SEPARATOR, str_replace($doc_root, '', $current))) - 1;
    }
    return isset($depth) ? str_repeat('..' . DIRECTORY_SEPARATOR, $depth) : '';
}

for a "clean" document root you can set a global constant like this:

Code:

define('DOCROOT', substr($_SERVER['DOCUMENT_ROOT'], -1) == DIRECTORY_SEPARATOR ? substr($_SERVER['DOCUMENT_ROOT'], 0, -1) : $_SERVER['DOCUMENT_ROOT']);

another suggestion: upgrade to newest uploadify

[ccagle8]

@head - i will have to try this... if this works, it will solve a ton of small issues with GS... Thanks so much for this!!

[thkro]

I can't upload any image. no "SUBMIT" button to upload image.
Using latest 1.71, MAMP 1.72, PHP 4.4.8 & 5.2.6, Apache 2.0.59.

Also tried on another server but had no luck.

[Zegnåt]

thkro, there is no submit button. You just use browse and it will directly start uploading. The problem now is just that it will (on most servers) not upload anything due to a security error.

[internet54]

Yes, this does need to be fixed before I can role it out to my clients as well.
Also, I need blog capabilities. I hope no one is ashamed that I am creating a blogging platform for GS to incorporate.

[Zegnåt]

Yes, this does need to be fixed before I can role it out to my clients as well.

You could roll out the normal 1.7 version, with some fixes, and simply block execution of PHP in the uploads folder. For most clients this shouldn’t give any problems and it will fix the main security problem of infiltration.

I hope no one is ashamed that I am creating a blogging platform for GS to incorporate.

Probably not, but as GS 2 is said to have some better extensibility possibilities it might be better to wait? I myself am hoping for an easier way to put stuff in the admin panel.

[internet54]

For the file upload issue, it is this code that breaks it.

Code:

if (basename($_SERVER['PHP_SELF']) == 'upload-ajax.php') {
    die('You cannot load this page directly.');
}

I can delete that code and replace it with a .htaccess file restriction and it works like a charm.
The problem with that is that newbies would have an issue trying to figure it out.

[ccagle8]

whats the .htaccess file restriction you put in place?

[internet54]

<files upload-ajax.phpl>
Order allow,deny
allow from 111.222.333.444
</files>