View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
15507 | Bug reports | Survey taking | public | 2019-10-31 21:18 | 2020-07-09 12:44 |
Reporter | GuernseyResearch | Assigned To | ollehar | ||
Priority | none | Severity | partial_block | ||
Status | closed | Resolution | no change required | ||
Product Version | 3.19.2 | ||||
Summary | 15507: Cannot upload file (Note: LS 3.19.3 ) | ||||
Description | Error when attempting to upload a file into an active survey. New install on a new server. | ||||
Steps To Reproduce | New install of LS 3.19.3 on a new file server running PHP Version 7.3.9 with file support enabled. active survey to test: enter "YES", and "VERY well" to bypass the first two questions to get to the upload question. I have added a Test question. At first I allow all standard extensions, but have now set it so that only allows png file entry. It will properly report incorrect extension, but will not upload files with the proper extension. Error reported is: "Sorry, unable to check extension of this file type %s." This then blocks the survey from moving further. | ||||
Tags | No tags attached. | ||||
Bug heat | 16 | ||||
Complete LimeSurvey version number (& build) | LimeSurvey Version 3.19.3+191023 | ||||
I will donate to the project if issue is resolved | No | ||||
Browser | Firefox, but tried others | ||||
Database type & version | mysql 5.0.12 | ||||
Server OS (if known) | Apache/2.4.41 | ||||
Webserver software & version (if known) | |||||
PHP Version | 7.3.9 | ||||
Is that system running a Linux or Microsoft OS? It sounds similar to https://bugs.limesurvey.org/view.php?id=15331 |
|
Linux system. I cannot access above link. |
|
Can't reproduce it on my system. The only difference is the php version (i use 7.3.8) |
|
I did a complete fresh install from a fresh download and used a new database. I set ALL files and directories to 777 to ensure there was no permissions problem. It fails with PHP 7.3.9 This was working fine with 7.3.4. We are going to see if we can back off the PHP to the previous version and test again. |
|
@cdorin : a workaround bug for all of ths bug can be adding a php, config PS : assign this one to me if you want this workaround fix … |
|
OK - we have determined this is a security issue with the new server. This is documented in issue 14621 which you are working on. We are operational, but feel this security issue needs to be resolved. Can you please notify us when an update that fixes this is available? |
|
You may close this ticket |
|
@GuernseyResearch, what exact security issue or setting are you referring to? |
|
@GuernseyResearch : i'm interested too why https://bugs.limesurvey.org/view.php?id=14621 can fix some information ? |
|
In moving to our new server we enabled more security for our mail and website. It appears that Limesurvey needs access to files outside its space and that causes the file upload to fail. Our Limesurvey (version 3 and beta 4) are now working, but the server does not have the currently recommended enhanced security. |
|
Not really , |
|
even if I set the permissions to EVERY file and directory within the /limesurvey directory to 777 the upload would fail. |
|
I concur of this bug. So currently the @GuernesyResearch workaround don't work. |
|
Just add some information: |
|
From what we were able to determine this is a security issue where the Limesurvey "owner" conflicts with the "webserver rights". Setting all files to 777 did not solve the problem. I still believe that Limesurvey is attempting to access something outside its own space and it does not have the rights to do that. We had to remove the "enhanced security" of the new server to make this work. As of this time we have not further investigated what "enhanced security" is actually doing and why it causes this problem. It was more important to have the system working. |
|
You you explain what exactly "enhanced security" is in this case? Sounds like a hosting setting?! But nothing Limesurvey related? |
|
"enhanced security" is our term. These settings are recommended for security as they ensure that there is no file access from outside the domain. |
|
Really strange since i use open_basedir for testing .... What is your include path ? |
|
And then there is THIS https://paragonie.com/blog/2017/01/configuration-driven-php-security-advice-considered-harmful I think some of these "enhanced security" issues are just masking the problem. |
|
@GuernseyResearch: What PHP-Handler is used to interact with the webserver? That is very import to understand what user permissions get applied and what kind of setting files are in play. Using 777 as filepermission is sometimes forbidden by the PHP handler. 777 is not always granting an unrestricted access to a folder/file. How does removing the upload_tmp_dir setting from php.ini improve security? upload_tmp_dir |
|
This was resolved and can be closed |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2019-10-31 21:18 | GuernseyResearch | New Issue | |
2019-11-01 09:13 | Mazi | Note Added: 54303 | |
2019-11-01 09:13 | Mazi | Relationship added | related to 15331 |
2019-11-01 14:11 | GuernseyResearch | Note Added: 54323 | |
2019-11-03 16:05 | cdorin | Note Added: 54351 | |
2019-11-04 18:57 | GuernseyResearch | Note Added: 54393 | |
2019-11-05 07:03 | DenisChenu | Note Added: 54394 | |
2019-11-05 07:03 | DenisChenu | Note Edited: 54394 | |
2019-11-05 19:56 | GuernseyResearch | Note Added: 54414 | |
2019-11-05 19:56 | GuernseyResearch | Note Added: 54415 | |
2019-11-05 21:56 | Mazi | Note Added: 54416 | |
2019-11-06 12:04 | DenisChenu | Note Added: 54424 | |
2019-11-06 17:20 | GuernseyResearch | Note Added: 54444 | |
2019-11-06 17:30 | DenisChenu | Note Added: 54445 | |
2019-11-06 17:36 | GuernseyResearch | Note Added: 54447 | |
2019-11-13 13:29 | vkuzmin | Issue Monitored: vkuzmin | |
2019-11-25 16:32 | obspm75 | Note Added: 54776 | |
2019-11-25 16:54 | obspm75 | Issue Monitored: obspm75 | |
2019-11-26 17:17 | obspm75 | Note Added: 54788 | |
2019-11-26 17:31 | GuernseyResearch | Note Added: 54790 | |
2019-11-26 18:25 | Mazi | Note Added: 54809 | |
2019-11-26 19:14 | GuernseyResearch | Note Added: 54811 | |
2019-11-26 19:18 | DenisChenu | Note Added: 54812 | |
2019-11-26 20:00 | GuernseyResearch | Note Added: 54813 | |
2019-11-27 01:52 | jelo | Note Added: 54815 | |
2020-07-09 00:39 | GuernseyResearch | Note Added: 58816 | |
2020-07-09 12:44 | ollehar | Assigned To | => ollehar |
2020-07-09 12:44 | ollehar | Status | new => closed |
2020-07-09 12:44 | ollehar | Resolution | open => no change required |