Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
#1 2006-05-22 01:29:48
- net-carver
- Archived Plugin Author
- Registered: 2006-03-08
- Posts: 1,648
[plugin] [ORPHAN] sed_anon_file_upload
sed anon file upload
Status: v0.7 Finished and ready for Beta Testers June 21st, 2006
This project was undertaken as the first match made on the new plugin requests thread following posts by mrdale and by colak
Needs beta testers.
If you want to test out this plugin, please send me an email via my website’s contact page and I will contact you via return email.
Summary
Here are the major features of this plugin.
- Administrators/designers can embed a fixed format form in their site.
- Allows anonymous user uploads with description and optional category for the file uploaded.
- Optional password requirement.
- Email notification to the site administrators.
- Optional moderation of uploads allowing review, edit, reject or acceptance of uploaded files.
- Language localisation.
- Customisable thank-you form/notice or redirect to url on successful upload.
Warning
This plugin, whilst wanted and useful, has the potential to allow your site to be abused.
So far I anticipate these potential dangers in use…
- Anonymous uploads, if un-moderated, could be used to turn your site into a repository for illegal files.<br/>This plugin allows you to moderate uploads or it can operate without moderation. In either case, you will need to take steps to secure the uploads to prevent your site from abuse. I recommend turning off indexing in your .htaccess file to stop people just going to the files directory and taking what they want.
- Huge file uploads could cause trouble for your (or your client’s) relationship with your hosting provider. <br/>If people start uploading huge media then that eats into your bandwidth and disk quota. <br/>If someone automated the upload of a number of huge files to your site then this could form the basis for a DOS attack.
Any feedback on these and any work-arounds would be most welcome.
Presently the plugin provides these features to help mitigate the threats…
- Files are checked against list of permitted types and maximum sizes.
- Uses nonce checking.
- Checks category vs acceptable values.
- Scans description field for possible injection attacks.
- Provides a simple password mechanism if you want it.
- Emails a summary to a designated party. (Could be extended—see below)
- Checks the uploading IP address and rejects if it is blacklisted or you have banned comments from that IP.
- Moderation is on by default, so files will not be in the TXP file system until the moderator accepts them. Note: you still need to secure the moderation directory.
Possible Additional Features…
Optionally, include the submitted file as an attachment to the summary email.Too risky.Customisable form layout.- Include the moderation options in the summary email to ease the moderator’s workflow.
- Move critical attributes to the TXP prefs table.
Last edited by net-carver (2006-08-29 03:04:49)
— Steve
Offline
Re: [plugin] [ORPHAN] sed_anon_file_upload
net-carver wrote:
- v0.4 Add form customisation
Hi steve… this is what I’m most interested in:) CAn you please expand on what the plans might be?
Alos should you wish me to send you the form I mentioned <a href=“http://forum.textpattern.com/viewtopic.php?pid=111822#p111822”>here</a>, for reference, please do le me know.
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
#3 2006-05-22 06:51:32
- net-carver
- Archived Plugin Author
- Registered: 2006-03-08
- Posts: 1,648
Re: [plugin] [ORPHAN] sed_anon_file_upload
colak wrote:
Hi steve… this is what I’m most interested in:) Can you please expand on what the plans might be?
Nothing really planned yet, that’s what this thread is for :O)
However, my initial thoughts were to have the plugin be able to use a TXP form for defining the layout of the xhtml form, the same way that the xhtml comments for TXP articles can be controlled using the TXP form called comment_form or zem_contact_reborn can be controlled either via a set of nested child tags or a TXP form. That would need some extra tags for controlling how the form is generated in a page.
For Dale’s initial request it didn’t sound like he needed much more than you get in the TXP Admin interface already—simple browse button to allow selection of file from local drive, an upload button next to it plus an input/textarea for description and an (freeform?) input for a category.
Also should you wish me to send you the form I mentioned <a href=“http://forum.textpattern.com/viewtopic.php?pid=111822#p111822”>here</a>, for reference, please do le me know.
Yeah, I would be interested in getting a look at that (it’s a nice example), I take it that it’s running on TXP as well?
Have you a contact form on one of your sites so I can mail you and you can pick up my email address that way?
— Steve
Offline
#4 2006-05-22 13:24:01
- net-carver
- Archived Plugin Author
- Registered: 2006-03-08
- Posts: 1,648
Re: [plugin] [ORPHAN] sed_anon_file_upload
Dale:
just want to clear up how you want the category field to work.
First of all, it’s to be optional. That’s fine. Second, it can have a default value set through an attribute to the anon_upload tag. That’s fine too. But, even if a default value is set, are you looking for a freeform text input or a select box populated with all the categories pulled from the DB? Or should you, the site designer be able to specify a selection of available categories?
If it’s free form, that’s very easy to implement but what happens if the site visitor enters a non-existent cat? On the other hand do you want them to be able to upload under any file category? Hmm.
What do you need?
— Steve
Offline
Re: [plugin] [ORPHAN] sed_anon_file_upload
Categories
I think that the categories should be a drop-down select generated from a subset of the file categories in the database.
- showCat=“1|0” would toggle the display of the category drop-down.
- noShow=“myUnwantedCategory1,myUnwantedCategory2”
- autoCat=“myCategory” would provide a single category that is automatically assigned to the upload.
- mailUser=“UserNumber” email an admin user with a notification that a file has been uploaded.
Cool!
Offline
Re: [plugin] [ORPHAN] sed_anon_file_upload
net-carver wrote:
Yeah, I would be interested in getting a look at that (it’s a nice example), I take it that it’s running on TXP as well?
Hi steve… NO, unfortunately the form is not in txp. I just could not integrate it. I would nevertheless be very happy to send it to you.
Have you a contact form on one of your sites so I can mail you and you can pick up my email address that way?
You can get in touch with me in neme.org (no contact form but comments are moderated so once I have your address I’ll send you the form.)
Alternatively I can click your email given in this forum if you prefer…
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
#7 2006-05-23 16:18:17
- net-carver
- Archived Plugin Author
- Registered: 2006-03-08
- Posts: 1,648
Re: [plugin] [ORPHAN] sed_anon_file_upload
bump: Updated the top of the thread with progress report and potential security concerns arising from the use of this plugin.
— Steve
Offline
Re: [plugin] [ORPHAN] sed_anon_file_upload
net-carver wrote:
Any feedback on these and any work-arounds would be most welcome.
Hi. Maybe filtering uploads by extension and size could help to have more control.
Example: a list of allowed (zip, jpg, gif, pdf, doc, etc) and not-allowed (exe, bat, pif, com, mpg, mp3) extensions.
Maybe also a size limit per-extension. 5 MB for mp3s, 1 mega for .doc, 5 MB for PDFs… etc.
Offline
#9 2006-05-24 04:42:19
- net-carver
- Archived Plugin Author
- Registered: 2006-03-08
- Posts: 1,648
Re: [plugin] [ORPHAN] sed_anon_file_upload
maniqui wrote:
Hi. Maybe filtering uploads by extension and size could help to have more control.<br/>Example: a list of allowed (zip, jpg, gif, pdf, doc, etc) and not-allowed (exe, bat, pif, com, mpg, mp3) extensions.<br/>Maybe also a size limit per-extension. 5 MB for mp3s, 1 mega for .doc, 5 MB for PDFs… etc.
Hello maniqui,
thanks for the feedback. That sounds like a good idea, and pretty simple to implement too. It might help mitigate some of the potential for misusing the upload feature but wouldn’t eliminate it.
I’ve worked with allow+disallow lists for access control before for a client. We found that the mixture of the two together doesn’t work well in the field because there is no defined behaviour for file types that fall outside of both lists! Different users would assume something about it and then get confused when that expectation wasn’t met. The solution was easy: use only an allow or a disallow list, not a combination of the two. If you only have an allow list then anything not in it is rejected. If you only have a disallow list then anything not on it is accepted. No grey areas.
Authentication of the file extension (that is, checking that a file named report.pdf actually is a .pdf and not some horrible .jpg) is another idea but much harder to accomplish. Anyone know if there is any server side php/cgi that does this?
Thanks,
Last edited by net-carver (2006-05-24 05:10:28)
— Steve
Offline
#10 2006-06-21 09:49:42
- net-carver
- Archived Plugin Author
- Registered: 2006-03-08
- Posts: 1,648
Re: [plugin] [ORPHAN] sed_anon_file_upload
v0.7 is available and looking for beta testers (see top post of this thread).
If you would like to test this plugin and give me feedback please send me an email via the contact form on my website and I will contact you by return email.
Thank you.
Last edited by net-carver (2006-08-29 03:05:59)
— Steve
Offline
#11 2006-09-01 02:31:54
- net-carver
- Archived Plugin Author
- Registered: 2006-03-08
- Posts: 1,648
Re: [plugin] [ORPHAN] sed_anon_file_upload
FYI, I intend releasing v0.8 shortly after the release of TxP 4.0.4.
0.8 will also patch a potential security risk. However, you can patch it manually in your v0.7 installations as follows…
- Edit the plugin.
- Scroll down until you see the start of the
_get_afu_state_data()
routine… - Look for these lines in that function…
<pre>// —— Data from the form…
$d[‘permissions’] = 0755;</pre> - Change
0755
to0644
. This removes execution privileges from uploaded files. - Make sure you save the change.
I became aware of this after switching to linux on my desktop and then spotting this post by Ruud in the testing forum…
— Steve
Offline
Re: [plugin] [ORPHAN] sed_anon_file_upload
Does 4.0.4 require any other code adjustments for security on this Steve? I made the other changes when you posted the info.
Thanks!
Offline