View Issue Details

This bug affects 1 person(s).
 16
IDProjectCategoryView StatusLast Update
15507Bug reportsSurvey takingpublic2020-07-09 12:44
ReporterGuernseyResearch Assigned Toollehar  
PrioritynoneSeveritypartial_block 
Status closedResolutionno change required 
Product Version3.19.2 
Summary15507: Cannot upload file (Note: LS 3.19.3 )
Description

Error when attempting to upload a file into an active survey. New install on a new server.

Steps To Reproduce

New install of LS 3.19.3 on a new file server running PHP Version 7.3.9 with file support enabled.
Used a previous survey and have added a NEW question to be sure the question itself was not corrupt.

active survey to test:
https://grquestions.com/ask/index.php/831819?lang=en

enter "YES", and "VERY well" to bypass the first two questions to get to the upload question. I have added a Test question. At first I allow all standard extensions, but have now set it so that only allows png file entry. It will properly report incorrect extension, but will not upload files with the proper extension. Error reported is:

"Sorry, unable to check extension of this file type %s."

This then blocks the survey from moving further.

TagsNo tags attached.
Bug heat16
Complete LimeSurvey version number (& build) LimeSurvey Version 3.19.3+191023
I will donate to the project if issue is resolvedNo
BrowserFirefox, but tried others
Database type & version mysql 5.0.12
Server OS (if known) Apache/2.4.41
Webserver software & version (if known)
PHP Version7.3.9

Relationships

related to 15331 closedollehar Uploading PDF at survey taking leads to "File extension can't be checked" error 

Users monitoring this issue

obspm75, vkuzmin

Activities

Mazi

Mazi

2019-11-01 09:13

updater   ~54303

Is that system running a Linux or Microsoft OS?

It sounds similar to https://bugs.limesurvey.org/view.php?id=15331

GuernseyResearch

GuernseyResearch

2019-11-01 14:11

reporter   ~54323

Linux system. I cannot access above link.
Reviewed similar bug reports and checked files and loaded extensions.

cdorin

cdorin

2019-11-03 16:05

reporter   ~54351

Can't reproduce it on my system. The only difference is the php version (i use 7.3.8)

GuernseyResearch

GuernseyResearch

2019-11-04 18:57

reporter   ~54393

I did a complete fresh install from a fresh download and used a new database. I set ALL files and directories to 777 to ensure there was no permissions problem. It fails with PHP 7.3.9

This was working fine with 7.3.4. We are going to see if we can back off the PHP to the previous version and test again.

DenisChenu

DenisChenu

2019-11-05 07:03

developer   ~54394

Last edited: 2019-11-05 07:03

@cdorin : a workaround bug for all of ths bug can be adding a php, config security_check_filetype to true by default. But if user need it … he can disable it.

PS : assign this one to me if you want this workaround fix …

GuernseyResearch

GuernseyResearch

2019-11-05 19:56

reporter   ~54414

OK - we have determined this is a security issue with the new server. This is documented in issue 14621 which you are working on.

We are operational, but feel this security issue needs to be resolved. Can you please notify us when an update that fixes this is available?

GuernseyResearch

GuernseyResearch

2019-11-05 19:56

reporter   ~54415

You may close this ticket

Mazi

Mazi

2019-11-05 21:56

updater   ~54416

@GuernseyResearch, what exact security issue or setting are you referring to?

DenisChenu

DenisChenu

2019-11-06 12:04

developer   ~54424

@GuernseyResearch : i'm interested too why https://bugs.limesurvey.org/view.php?id=14621 can fix some information ?

GuernseyResearch

GuernseyResearch

2019-11-06 17:20

reporter   ~54444

In moving to our new server we enabled more security for our mail and website. It appears that Limesurvey needs access to files outside its space and that causes the file upload to fail.
• The fix was to remove the PHP open-basedir setting, and also remove the upload_tmp_dir setting
• Even if upload_tmp_dir was set below open_basedir the upload still failed

Our Limesurvey (version 3 and beta 4) are now working, but the server does not have the currently recommended enhanced security.

DenisChenu

DenisChenu

2019-11-06 17:30

developer   ~54445

Limesurvey needs access to files outside its space

Not really , upload_tmp_dir maybe …

GuernseyResearch

GuernseyResearch

2019-11-06 17:36

reporter   ~54447

even if I set the permissions to EVERY file and directory within the /limesurvey directory to 777 the upload would fail.

obspm75

obspm75

2019-11-25 16:32

reporter   ~54776

I concur of this bug.
On some other plateform (FreeBSD + PHP + Mysql + PhP 7.2.22) I got the exact same problem.
The open_basedir and the upload_tmp_dir are not set (we running default config and in the default config those variables are not set)

So currently the @GuernesyResearch workaround don't work.
Regards

obspm75

obspm75

2019-11-26 17:17

reporter   ~54788

Just add some information:
I upgrade the server and all packages to the last version (apache24-2.4.41, php72-7.2.25, limesurvey3.20.2+191119) the problem is still here.
I try also some chmod 777 and as note by GuernseyResearch the upload still failed

GuernseyResearch

GuernseyResearch

2019-11-26 17:31

reporter   ~54790

From what we were able to determine this is a security issue where the Limesurvey "owner" conflicts with the "webserver rights". Setting all files to 777 did not solve the problem. I still believe that Limesurvey is attempting to access something outside its own space and it does not have the rights to do that. We had to remove the "enhanced security" of the new server to make this work. As of this time we have not further investigated what "enhanced security" is actually doing and why it causes this problem. It was more important to have the system working.
I suggest you see if your installation has a setting for "enhanced security". If so, turn it off and see if that makes a difference.

Mazi

Mazi

2019-11-26 18:25

updater   ~54809

You you explain what exactly "enhanced security" is in this case? Sounds like a hosting setting?! But nothing Limesurvey related?
Maybe you can post a screenshot?

GuernseyResearch

GuernseyResearch

2019-11-26 19:14

reporter   ~54811

"enhanced security" is our term.
We had to edit php.ini to remove the PHP open-basedir setting, and also remove the upload_tmp_dir setting
Even if upload_tmp_dir was set below open_basedir the upload still failed.

These settings are recommended for security as they ensure that there is no file access from outside the domain.
We were unable to get a better understanding of why Limesurvey worked fine with our previous web server and then failed with our new server. However, we also had changed the version of PHP in the process.

DenisChenu

DenisChenu

2019-11-26 19:18

developer   ~54812

Really strange since i use open_basedir for testing ....
With this settings : https://bugs.limesurvey.org/view.php?id=14621#c51046

What is your include path ?

GuernseyResearch

GuernseyResearch

2019-11-26 20:00

reporter   ~54813

And then there is THIS

https://paragonie.com/blog/2017/01/configuration-driven-php-security-advice-considered-harmful

I think some of these "enhanced security" issues are just masking the problem.

jelo

jelo

2019-11-27 01:52

partner   ~54815

@GuernseyResearch: What PHP-Handler is used to interact with the webserver? That is very import to understand what user permissions get applied and what kind of setting files are in play.

Using 777 as filepermission is sometimes forbidden by the PHP handler. 777 is not always granting an unrestricted access to a folder/file.

How does removing the upload_tmp_dir setting from php.ini improve security?

upload_tmp_dir
The temporary directory used for storing files when doing file upload. Must be writable by whatever user PHP is running as. If not specified PHP will use the system's default. If the directory specified here is not writable, PHP falls back to the system default temporary directory. If open_basedir is on, then the system default directory must be allowed for an upload to succeed.

GuernseyResearch

GuernseyResearch

2020-07-09 00:39

reporter   ~58816

This was resolved and can be closed

Issue History

Date Modified Username Field Change
2019-10-31 21:18 GuernseyResearch New Issue
2019-11-01 09:13 Mazi Note Added: 54303
2019-11-01 09:13 Mazi Relationship added related to 15331
2019-11-01 14:11 GuernseyResearch Note Added: 54323
2019-11-03 16:05 cdorin Note Added: 54351
2019-11-04 18:57 GuernseyResearch Note Added: 54393
2019-11-05 07:03 DenisChenu Note Added: 54394
2019-11-05 07:03 DenisChenu Note Edited: 54394
2019-11-05 19:56 GuernseyResearch Note Added: 54414
2019-11-05 19:56 GuernseyResearch Note Added: 54415
2019-11-05 21:56 Mazi Note Added: 54416
2019-11-06 12:04 DenisChenu Note Added: 54424
2019-11-06 17:20 GuernseyResearch Note Added: 54444
2019-11-06 17:30 DenisChenu Note Added: 54445
2019-11-06 17:36 GuernseyResearch Note Added: 54447
2019-11-13 13:29 vkuzmin Issue Monitored: vkuzmin
2019-11-25 16:32 obspm75 Note Added: 54776
2019-11-25 16:54 obspm75 Issue Monitored: obspm75
2019-11-26 17:17 obspm75 Note Added: 54788
2019-11-26 17:31 GuernseyResearch Note Added: 54790
2019-11-26 18:25 Mazi Note Added: 54809
2019-11-26 19:14 GuernseyResearch Note Added: 54811
2019-11-26 19:18 DenisChenu Note Added: 54812
2019-11-26 20:00 GuernseyResearch Note Added: 54813
2019-11-27 01:52 jelo Note Added: 54815
2020-07-09 00:39 GuernseyResearch Note Added: 58816
2020-07-09 12:44 ollehar Assigned To => ollehar
2020-07-09 12:44 ollehar Status new => closed
2020-07-09 12:44 ollehar Resolution open => no change required