I have an administration page on a website, from which the admin AND THE ADMIN ONLY can manage users and upload files from local hard drive for these users to download. The admin uses this page to upload files for his customers or to store files he needs when he has no memory device available. The files size may vary from a few Kb to a lot of hundreds megabytes.
The ideal solution:
An HTML form through which the admin can choose a file and upload it, to download it back later. This can be done in PHP.
The problems:
I cannot set the "max_file_size" variable in php.ini because the hosting doesn't let me
I tried FTP upload (PHP function ftp_put()) but it requires me to upload the file with a POST anyway
Even though it's completely wrong, I used a input="text" instead of input="file" to write the whole file path and upload it, but I get the following error:
Warning: ftp_put(insert_local_file_path_here)[function.ftp-put]:
failed to open stream: No such file or directory in path_to_php_script.php on line 70
The insane thing is... on Monday this was working, and now it's not. No changes were done and the file is the same.
My only conclusion:
With my little knowledge, all I could think of is a Java applet which does the required tasks that opens on the administration page. But if someone disables javascript/has no Java installed, the thing will not work, so it's not 100% bulletproof.
Have you got any ideas how to overcome such an issue?
If you need to upload big files you must use ftp protocol to make it. You can't upload big files if you don't have acces to php.ini. Sad but true
Related
This is not a quick failure, I have spent a totally of 5 completely full days trying to figure this out. Initially I was limited by file size and then file type; in which I removed the Wordpress restrictions and am now "capable" of uploading my 177MB .glb file to Wordpress.
However when doing so, I receive the following error:
retriever.glb
Unexpected response from the server. The file may have been uploaded successfully. Check in the Media Library or reload the page.
I was on the phone with GoDaddy Specialists for 2.5 hours yesterday ensuring that this was not a Server issue or restriction on their side.. they confirmed that it was not. We pretty much ended the conversation that it is something I must figure out with me, myself, and I.
I went ahead and uploaded my .glb to the server through panel, everything worked fine. In fact I have a location for it here: https://www.tattiniboots.com/wp-content/uploads/2020/07/retriever.glb
However, this does not make the file discoverable to the 3D viewer plugins I have installed on the site through the media location.
I truly don't know where to go from here
I changed the name of the file to .png and attempted an upload and received the following error:
Post-processing of the image failed likely because the server is busy or does not have enough resources. Uploading a smaller image may help. Suggested maximum size is 2500 pixels.
I just tried to update a normal .mov file that is 150MB and received the following error; really making me think this is something to do with file size:
Unexpected response from the server. The file may have been uploaded successfully. Check in the Media Library or reload the page.
Yes, normal images are uploading just fine (2MB-ish)
I just attempted to deactivate all plugins with consideration that maybe "Smush" or another was imposing issues: I then received the issue that the file type is not supported (even with the allow all file types code in my wp-config)
Is this just the case that glb is not allowed at all?
This must be a server thing. probably a run time error
Whoever supported you just doesn't know it. GoGoDaddy. ;)
Nevertheless... you can Use a plugin that's called
media sync. Check it out and best of luck
I am using the
Storage::
to upload files into laravel. It works, i can successfully upload, store, delete, and edit files on the server. But the issue i am having is the weight of the file. Images upload easily, but if i try to upload a .zip with like 20MB it drops. I can see the numbers in the bottom of the browser going all the way to 23 then back to 0, up to like 10% then this pages comes up:
What is going on? I updated my PHP.INI to allow really large uploads... is Laravel got some restrictions? Does Nginx have its own set of permissions? What am i missing?
My application is keeping watch on a set of folders where users can upload files. When a file upload is finished I have to apply a treatment, but I don't know how to detect that a file has not finish to upload.
Any way to detect if a file is not released yet by the FTP server?
There's no generic solution to this problem.
Some FTP servers lock the file being uploaded, preventing you from accessing it, while the file is still being uploaded. For example IIS FTP server does that. Most other FTP servers do not. See my answer at Prevent file from being accessed as it's being uploaded.
There are some common workarounds to the problem (originally posted in SFTP file lock mechanism, but relevant for the FTP too):
You can have the client upload a "done" file once the upload finishes. Make your automated system wait for the "done" file to appear.
You can have a dedicated "upload" folder and have the client (atomically) move the uploaded file to a "done" folder. Make your automated system look to the "done" folder only.
Have a file naming convention for files being uploaded (".filepart") and have the client (atomically) rename the file after upload to its final name. Make your automated system ignore the ".filepart" files.
See (my) article Locking files while uploading / Upload to temporary file name for an example of implementing this approach.
Also, some FTP servers have this functionality built-in. For example ProFTPD with its HiddenStores directive.
A gross hack is to periodically check for file attributes (size and time) and consider the upload finished, if the attributes have not changed for some time interval.
You can also make use of the fact that some file formats have clear end-of-the-file marker (like XML or ZIP). So you know, that the file is incomplete.
Some FTP servers allow you to configure a hook to be called, when an upload is finished. You can make use of that. For example ProFTPD has a mod_exec module (see the ExecOnCommand directive).
I use ftputil to implement this work-around:
connect to ftp server
list all files of the directory
call stat() on each file
wait N seconds
For each file: call stat() again. If result is different, then skip this file, since it was modified during the last seconds.
If stat() result is not different, then download the file.
This whole ftp-fetching is old and obsolete technology. I hope that the customer will use a modern http API the next time :-)
If you are reading files of particular extensions, then use WINSCP for File Transfer. It will create a temporary file with extension .filepart and it will turn to the actual file extension once it fully transfer the file.
I hope, it will help someone.
This is a classic problem with FTP transfers. The only mostly reliable method I've found is to send a file, then send a second short "marker" file just to tell the recipient the transfer of the first is complete. You can use a file naming convention and just check for existence of the second file.
You might get fancy and make the content of the second file a checksum of the first file. Then you could verify the first file. (You don't have the problem with the second file because you just wait until file size = checksum size).
And of course this only works if you can get the sender to send a second file.
I'm reading about security stuff for PHP and my biggest concern now is the users file upload form. I've read a lot that some users may upload files that seems to be something else by changing the extension or even manipulating the header and the mimetype. I understand this.
But my question is how will this be an issue if I rename any uploaded file and move it to a directory that they do not know.
Please let me know if this will be enough or not, and if not, just give me some headline of what extra security checks should I perform
Thanks a lot
It really depends on what your online application is looking to achieve. If you wish to limit access directly to files which are uploaded, then you should set the folder permissions for the parent folder of the uploaded area to block user access. Then in your database you can record to path and only host the files through the http response. This will ensure that no files are accessed which could be potentially harmful, and also that users can still upload what they feel. As an extra step, you could add an erroneous file extension to each file while it is hosted and then remove it when it is served.
You might run an antivirus scan daemon in the background like avscand, configured. for scanning and moving infected files to a quarantaine directory. This ought to prevent delivering infected files later back to the people. Configure automatic virus database updating. A bit back that I did do such things, so investigate.
A simple renaming of the file name to one with safe characters should be sufficient; per user separated of course.
To have a more secure site the following needs to happen:
Due to the nature of security, this list will need be updated every so often.
Set the upload_max_filesize to something sensible
Install an Antivirus on the server
Set the upload_tmp_dir to something sensible, that the user may not access. See Setting PHP tmp dir - PHP upload not working
Have your form you upload files (which you already have done)
Your form handler should:
Run a file command to get the type of the data without executing it
Reject random files
The PHP interpreter will validate the file size
Run the virus scanner on the file
Do a file rename to ensure the filename is clean (if you need to reference things, it is convenient to rename the file to the primary key of your attachments table)
Move the file to a location that isn't accessible by the client (but move it, so if a later upload comes in with the same name nothing happens)
When you move the files, ensure they don't have execute permissions
I have to check the Content of a zip/rar file before uploading to the server.
Let me explain the scenario.
There are 2 types of users in my web project:
1: Normal Registered user
2: Administrator of the Project
Any Registered user can Create Pages on our Project,also they can create Themes For Pages.
Here one of us suggested a feature that to upload the Theme as theme pack [Compressed in Zip/Rar File].
If it is a Administrator then it is ok,there is no more security constraints.
But i am afraid in the case of Normal Registered Users.
My Problems are :
Assume that a Registered User uploading a theme pack that contains some malicious Files [Including PHP file] that may hurt the system.
I know that it is posible to check the Contents after upload,but what will happen if the use executed the File before that?
Ex : a user uploading a theme pack : contains some PHP codes & other large files,First our system will extract the content of the Theme Pack: Assume that the extraction of large files takes some time,and the smaller PHP file already extracted.So that the user can RUN the PHP file First.
The above one is my noob soubt,Actually i dont know other sides.
Please help me to figure out this problem.
Is it possible to upload the ZIP file in a secure manner ?
You won't be able to check this client side unless, of course, you had some kind of plugin (for all browsers) that did the checking/uploading for you. You'll have to handle this on the server side.
Also, Admins can upload viruses just as easily as non-admins. Some user's don't even know their machine has more viruses than a shanty-town brothel.
EDIT: Also, how is the user going to execute their PHP file on your server before you've checked it unless you run that php file? This sounds like a recipe for disaster anyway. All it will take is for something to slip through the cracks and a malicious user will destroy your site. Allowing normal people to upload executable script to your server is asking for serious trouble.
Unpack it in directory, which can't be reached through the web, check, then move back to web-folder, where it should be.
Assuming that you have your website in directory /var/www/website and user content goes to /var/www/website/user and is reachable through www.website.com/user/ :
Create temporary dir in /tmp unpack there, check, move to /var/www/website/user
If you don't have access to /tmp, you can create /var/www/website/tmp and prohibit access to it using your server settings
you can create a folder for putting the zip file and unzip.
and disable the php execute for the folder. that can solve your problem