Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#1 2006-05-22 01:29:48

net-carver
Archived Plugin Author
Registered: 2006-03-08
Posts: 1,648

[plugin] [ORPHAN] sed_anon_file_upload

sed anon file upload

Status: v0.7 Finished and ready for Beta Testers June 21st, 2006

This project was undertaken as the first match made on the new plugin requests thread following posts by mrdale and by colak

Needs beta testers.

If you want to test out this plugin, please send me an email via my website’s contact page and I will contact you via return email.

Summary

Here are the major features of this plugin.

  • Administrators/designers can embed a fixed format form in their site.
  • Allows anonymous user uploads with description and optional category for the file uploaded.
  • Optional password requirement.
  • Email notification to the site administrators.
  • Optional moderation of uploads allowing review, edit, reject or acceptance of uploaded files.
  • Language localisation.
  • Customisable thank-you form/notice or redirect to url on successful upload.

Warning

This plugin, whilst wanted and useful, has the potential to allow your site to be abused.

So far I anticipate these potential dangers in use…

  1. Anonymous uploads, if un-moderated, could be used to turn your site into a repository for illegal files.<br/>This plugin allows you to moderate uploads or it can operate without moderation. In either case, you will need to take steps to secure the uploads to prevent your site from abuse. I recommend turning off indexing in your .htaccess file to stop people just going to the files directory and taking what they want.
  2. Huge file uploads could cause trouble for your (or your client’s) relationship with your hosting provider. <br/>If people start uploading huge media then that eats into your bandwidth and disk quota. <br/>If someone automated the upload of a number of huge files to your site then this could form the basis for a DOS attack.

Any feedback on these and any work-arounds would be most welcome.

Presently the plugin provides these features to help mitigate the threats…

  • Files are checked against list of permitted types and maximum sizes.
  • Uses nonce checking.
  • Checks category vs acceptable values.
  • Scans description field for possible injection attacks.
  • Provides a simple password mechanism if you want it.
  • Emails a summary to a designated party. (Could be extended—see below)
  • Checks the uploading IP address and rejects if it is blacklisted or you have banned comments from that IP.
  • Moderation is on by default, so files will not be in the TXP file system until the moderator accepts them. Note: you still need to secure the moderation directory.

Possible Additional Features…

  • Optionally, include the submitted file as an attachment to the summary email. Too risky.
  • Customisable form layout.
  • Include the moderation options in the summary email to ease the moderator’s workflow.
  • Move critical attributes to the TXP prefs table.

Last edited by net-carver (2006-08-29 03:04:49)


Steve

Offline

#2 2006-05-22 05:44:53

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,007
Website GitHub Mastodon Twitter

Re: [plugin] [ORPHAN] sed_anon_file_upload

net-carver wrote:

  • v0.4 Add form customisation

Hi steve… this is what I’m most interested in:) CAn you please expand on what the plans might be?

Alos should you wish me to send you the form I mentioned <a href=“http://forum.textpattern.com/viewtopic.php?pid=111822#p111822”>here</a>, for reference, please do le me know.


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#3 2006-05-22 06:51:32

net-carver
Archived Plugin Author
Registered: 2006-03-08
Posts: 1,648

Re: [plugin] [ORPHAN] sed_anon_file_upload

colak wrote:

Hi steve… this is what I’m most interested in:) Can you please expand on what the plans might be?

Nothing really planned yet, that’s what this thread is for :O)

However, my initial thoughts were to have the plugin be able to use a TXP form for defining the layout of the xhtml form, the same way that the xhtml comments for TXP articles can be controlled using the TXP form called comment_form or zem_contact_reborn can be controlled either via a set of nested child tags or a TXP form. That would need some extra tags for controlling how the form is generated in a page.

For Dale’s initial request it didn’t sound like he needed much more than you get in the TXP Admin interface already—simple browse button to allow selection of file from local drive, an upload button next to it plus an input/textarea for description and an (freeform?) input for a category.

Also should you wish me to send you the form I mentioned <a href=“http://forum.textpattern.com/viewtopic.php?pid=111822#p111822”>here</a>, for reference, please do le me know.

Yeah, I would be interested in getting a look at that (it’s a nice example), I take it that it’s running on TXP as well?

Have you a contact form on one of your sites so I can mail you and you can pick up my email address that way?


Steve

Offline

#4 2006-05-22 13:24:01

net-carver
Archived Plugin Author
Registered: 2006-03-08
Posts: 1,648

Re: [plugin] [ORPHAN] sed_anon_file_upload

Dale:

just want to clear up how you want the category field to work.

First of all, it’s to be optional. That’s fine. Second, it can have a default value set through an attribute to the anon_upload tag. That’s fine too. But, even if a default value is set, are you looking for a freeform text input or a select box populated with all the categories pulled from the DB? Or should you, the site designer be able to specify a selection of available categories?

If it’s free form, that’s very easy to implement but what happens if the site visitor enters a non-existent cat? On the other hand do you want them to be able to upload under any file category? Hmm.

What do you need?


Steve

Offline

#5 2006-05-22 16:59:49

mrdale
Member
From: Walla Walla
Registered: 2004-11-19
Posts: 2,215
Website

Re: [plugin] [ORPHAN] sed_anon_file_upload

Categories
I think that the categories should be a drop-down select generated from a subset of the file categories in the database.

Possible Attributes
  • showCat=“1|0” would toggle the display of the category drop-down.
  • noShow=“myUnwantedCategory1,myUnwantedCategory2”
  • autoCat=“myCategory” would provide a single category that is automatically assigned to the upload.
  • mailUser=“UserNumber” email an admin user with a notification that a file has been uploaded.

Cool!

Offline

#6 2006-05-23 06:32:15

colak
Admin
From: Cyprus
Registered: 2004-11-20
Posts: 9,007
Website GitHub Mastodon Twitter

Re: [plugin] [ORPHAN] sed_anon_file_upload

net-carver wrote:

Yeah, I would be interested in getting a look at that (it’s a nice example), I take it that it’s running on TXP as well?

Hi steve… NO, unfortunately the form is not in txp. I just could not integrate it. I would nevertheless be very happy to send it to you.

Have you a contact form on one of your sites so I can mail you and you can pick up my email address that way?

You can get in touch with me in neme.org (no contact form but comments are moderated so once I have your address I’ll send you the form.)
Alternatively I can click your email given in this forum if you prefer…


Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.

Offline

#7 2006-05-23 16:18:17

net-carver
Archived Plugin Author
Registered: 2006-03-08
Posts: 1,648

Re: [plugin] [ORPHAN] sed_anon_file_upload

bump: Updated the top of the thread with progress report and potential security concerns arising from the use of this plugin.


Steve

Offline

#8 2006-05-23 17:17:38

maniqui
Member
From: Buenos Aires, Argentina
Registered: 2004-10-10
Posts: 3,070
Website

Re: [plugin] [ORPHAN] sed_anon_file_upload

net-carver wrote:

Any feedback on these and any work-arounds would be most welcome.

Hi. Maybe filtering uploads by extension and size could help to have more control.

Example: a list of allowed (zip, jpg, gif, pdf, doc, etc) and not-allowed (exe, bat, pif, com, mpg, mp3) extensions.

Maybe also a size limit per-extension. 5 MB for mp3s, 1 mega for .doc, 5 MB for PDFs… etc.


La música ideas portará y siempre continuará

TXP Builders – finely-crafted code, design and txp

Offline

#9 2006-05-24 04:42:19

net-carver
Archived Plugin Author
Registered: 2006-03-08
Posts: 1,648

Re: [plugin] [ORPHAN] sed_anon_file_upload

maniqui wrote:

Hi. Maybe filtering uploads by extension and size could help to have more control.<br/>Example: a list of allowed (zip, jpg, gif, pdf, doc, etc) and not-allowed (exe, bat, pif, com, mpg, mp3) extensions.<br/>Maybe also a size limit per-extension. 5 MB for mp3s, 1 mega for .doc, 5 MB for PDFs… etc.

Hello maniqui,

thanks for the feedback. That sounds like a good idea, and pretty simple to implement too. It might help mitigate some of the potential for misusing the upload feature but wouldn’t eliminate it.

I’ve worked with allow+disallow lists for access control before for a client. We found that the mixture of the two together doesn’t work well in the field because there is no defined behaviour for file types that fall outside of both lists! Different users would assume something about it and then get confused when that expectation wasn’t met. The solution was easy: use only an allow or a disallow list, not a combination of the two. If you only have an allow list then anything not in it is rejected. If you only have a disallow list then anything not on it is accepted. No grey areas.

Authentication of the file extension (that is, checking that a file named report.pdf actually is a .pdf and not some horrible .jpg) is another idea but much harder to accomplish. Anyone know if there is any server side php/cgi that does this?

Thanks,

Last edited by net-carver (2006-05-24 05:10:28)


Steve

Offline

#10 2006-06-21 09:49:42

net-carver
Archived Plugin Author
Registered: 2006-03-08
Posts: 1,648

Re: [plugin] [ORPHAN] sed_anon_file_upload

v0.7 is available and looking for beta testers (see top post of this thread).

If you would like to test this plugin and give me feedback please send me an email via the contact form on my website and I will contact you by return email.

Thank you.

Last edited by net-carver (2006-08-29 03:05:59)


Steve

Offline

#11 2006-09-01 02:31:54

net-carver
Archived Plugin Author
Registered: 2006-03-08
Posts: 1,648

Re: [plugin] [ORPHAN] sed_anon_file_upload

FYI, I intend releasing v0.8 shortly after the release of TxP 4.0.4.

0.8 will also patch a potential security risk. However, you can patch it manually in your v0.7 installations as follows…

  1. Edit the plugin.
  2. Scroll down until you see the start of the _get_afu_state_data() routine…
  3. Look for these lines in that function…
    <pre>// —— Data from the form…
    $d[‘permissions’] = 0755;</pre>
  4. Change 0755 to 0644. This removes execution privileges from uploaded files.
  5. Make sure you save the change.

I became aware of this after switching to linux on my desktop and then spotting this post by Ruud in the testing forum…


Steve

Offline

#12 2006-10-25 02:40:30

soulship
Member
From: Always Sunny Charleston
Registered: 2004-04-30
Posts: 669
Website

Re: [plugin] [ORPHAN] sed_anon_file_upload

Does 4.0.4 require any other code adjustments for security on this Steve? I made the other changes when you posted the info.

Thanks!

Offline

Board footer

Powered by FluxBB