NEW MODULE - Form with File Uploads

[tomhung]

OK.  Here is the ALPHA release of this module.  This will prob NEVER be an official release because of its inherent security problems. 

There is one main problem with the module.  It breaks when you "REQUIRE" the upload file field in the form.  I would love some help with this.

Here are the security problems. 
If you have the public upload files, the files will be owned by apache.  If you put them under the htdocs they can upload malicious code and run it.  Bad News. 

Options:
1. Have apache upload it somewhere not accessable to the webserver /home/notapache  The problem is that your email / link will not work
2. use .htaccess on the upload folder under htdocs.  You just have to set this up.  I havnt automated it yet.  would someone like to take this on?  I'm not sure about .htaccess on shared hosting?  can someone let us know if this is possible.

This module works.. it is just a little complex to set up. 

BTW... I had to fork the code from the FORM module.  This will install as a new module "Form W/ Attachments".  Make sure you use this page type.  Dont forget to set the upload directory....

I hope this helps the people out there that need it.
Greg

[tomhung]

Here is a TODO list.  Anyone is welcome to help out in the development.

1. Fix "Required" problem
2. Automate .htaccess creation
3. White list of acceptable file extensions

[Panther]

what do you see this being primarily used for?

Would a simple encryption or substitution or even appending of the file name being uploaded help the security issue?

ie. someone tries to upload the file malicious.php = behind the scenes, before it's saved to the server it is renamed as malicious.php.randomtext

If this is just a way to submit something for review, the admin then just has to remove the .randomtext from the file before reviewing it.

If the text is generated at random, there's no way for the uploader to know what the final file name is, and since it in effect changes the extension, it couldn't be executed.... right?

And it should either be a randomly generated text, not something set by the admin or by the module, that way nobody knows what it is before hand...

[dihakz]

what do you see this being primarily used for?

There are many, many things this could be used for (I had a burning need for this, so thank you, Greg!!) -- most significant, however, might be when a site needs an employment application.  They can now fill out the form, and upload a resume.

Darren

[Panther]

So it's not something where it is uploaded for immediate availability by other visitors... then something simple like appending a new suffix to the file name may work as a basic security measure that doesn't rely on things like htaccess.

Then a page in the admin side of things could be used for downloading that would strip the text off for those "computer illiterate" users.

[tomhung]

@Panther

You have to assume that the BAD GUYS are at lease as smart as you.  And I would be able to figure this out. 

It safest to have .htaccess on the directory or have it not in a accessible directory and move it after approval. 

G

[cthelight]

were does it upload to?

[tomhung]

it defaults to your media directory.  you should specify the directory you want it to go to.  apache should have permissions to add files.

[joris]

Hello,

I installed this module successfully, but when I try to upload a file (what is the upload limit, by the way?), the following message pops up:

Warning: move_uploaded_file(/public_html/wb/media/20082007020836-Dizionario_zapparelli.doc): failed to open stream: No such file or directory in /home/MYNAME/public_html/wb/modules/form2/view.php on line 83

Warning: move_uploaded_file(): Unable to move '/tmp/phpyrGYs3' to '/public_html/wb/media/20082007020836-Dizionario_zapparelli.doc' in /home/MYNAME/public_html/wb/modules/form2/view.php on line 83

There was an error uploading the file, please try again!


This message pops up when my settings have the following dir.: /public_html/wb/media/
I tried to change the upload directory (existing ones) several times, but it doesn't get better... 
I could not find any references as this module is new and still subject to improvements.
Is this an access problem (if yes, how do I solve this?) or domething different?

Thanks in advance!
J

[tomhung]

this sounds like a permission problem.  make sure the destination directory is writable by the user of your webserver.

chmod 775 /public_html/wb/media/

also is this the full path?  it looks like it should be

/home/MYNAME/public_html/wb/media/

check that too

G

[joris]

Thanks!

I changed the path as you suggested, now it seems to work. Thanks a lot! 
Is there a limit to the upload function or does it only depend of the characteristics of my server?

Furthermore, how can the htaccess. be activated to avoid public access to this directory?

Thanks!

J

[tomhung]

you need to check you php.ini file to see what the upload limit is. 
you can make a code page with the following function to get all your settings.  I believe the upload limit is listed there.

Code:

<?php
phpinfo();
?>

its best to google .htaccess as it is a indepth topic i dont have time to write about.

do you have a shell account?

g

[joris]

  this is Chinese for me...
Thanks anyway, I will ask a friend who knows more about it!

Thanks again!

J

[mandamexico]

is help still being offered on this module?
im trying to have users to my site upload images that i can retrieve
once retrieved i can print and send it to the users specifications. its a service rendered through my site.
anyway...i added the module on wb
but wen i test an upload it says image.jpg has been uploaded..blah blah blah
next i go to my media section..but nothing. i tried to click on the submissions link too and nothing.

im new to php. any help please?? thanks.

[lawalty]

Same here!  It works, but it only uploads in the pages dir.  I went and checked to be sure that the user has a home directory assigned to him, but still it ONLY uploads to the pages directory..  Any solutions?