Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No file upload with v1.0.4 #4

Open
webbird opened this issue Nov 13, 2013 · 12 comments
Open

No file upload with v1.0.4 #4

webbird opened this issue Nov 13, 2013 · 12 comments

Comments

@webbird
Copy link

webbird commented Nov 13, 2013

After upgrading from 1.0.1 to 1.0.4, file uploads are no longer possible. It seems the JS scrambles the form data somehow. On the server side, $ _ REQUEST and $ _ POST are just empty.

After replacing the JS with the old version, uploads are working again.
@webbird webbird mentioned this issue Nov 13, 2013
Closed
@ezyang
Copy link
Owner

ezyang commented Jul 24, 2014

I need more information to fix this bug. How are you constructing the file upload widget?

@webbird
Copy link
Author

webbird commented Jul 24, 2014

It's just a simple upload form. I will try to create a very simple test case for you.

@webbird
Copy link
Author

webbird commented Jul 24, 2014

Still working on a test script for you, because it's a complex application where we use csrf-magic. For now, assume this: Given is a file upload form which calls an upload script via AJAX. I also have a custom csrf_callback() method. Here I've added these lines to see the difference:

echo "POST: ";
print_r($_POST);
echo "FILES: ";
print_r($_FILES);
echo "TOKENS: ";
print_r($tokens);

Result for 1.0.4:

POST: Array
(
)
FILES: Array
(
)
TOKENS:

Result for 1.0.3: Nothing, as the callback is not called. Adding the same code to the upload handler gives:

POST: Array
(
    [__csrf_magic] => sid:6215f76a2879162666a85455380a2bda6e47505d,1406200385
    [form_title] => Datei(en) hochladen
    [folder_path] => /media/gallery2
    [_cat_ajax] => 1
    [test] => Datei wählen...
    [upload_counter] => Array
        (
            [0] => 0
            [1] => 1
        )

    [upload_1] =>
)
FILES: Array
(
    [upload_0] => Array
        (
            [name] => 1239901119_reload_all_tabs.png
            [type] => image/png
            [tmp_name] => D:\xampp\tmp\php6A12.tmp
            [error] => 0
            [size] => 1757
        )

)

@webbird
Copy link
Author

webbird commented Jul 24, 2014

My config:

function csrf_startup()
{
    // AJAX requests are allowed via POST only and must identify themselves
    // by adding a '_cat_ajax' param to the request
    if (isset($_POST['_cat_ajax']))
        csrf_conf('rewrite', false);
    // This enables JavaScript rewriting and will ensure your AJAX calls
    // don't stop working.
    csrf_conf('rewrite-js', CAT_URL . '/modules/lib_csrfmagic/csrf-magic.js');
    // This makes csrf-magic call my_csrf_callback() before exiting when
    // there is a bad csrf token. This lets me customize the error page.
    csrf_conf('callback', 'cat_csrf_callback');
    // While this is enabled by default to boost backwards compatibility,
    // for security purposes it should ideally be off. Some users can be
    // NATted or have dialup addresses which rotate frequently. Cookies
    // are much more reliable.
    csrf_conf('allow-ip', false);
    // Token lifetime
    if (defined('TOKEN_LIFETIME') && TOKEN_LIFETIME > 0)
    {
        csrf_conf('expires', TOKEN_LIFETIME);
    }
}

@webbird
Copy link
Author

webbird commented Jul 24, 2014

Found reason:

if (window.XMLHttpRequest && window.XMLHttpRequest.prototype && '\v' != '\v') {

Old line was

if (window.XMLHttpRequest && window.XMLHttpRequest.prototype && '\v' != 'v') {

Dunno what this is for...?

@webbird
Copy link
Author

webbird commented Jul 24, 2014

To be more precise... After changing that line in the old js (v1.0.3), I got the same error. After removing the change, the error was gone again. But after changing that line in v1.0.4 to the old version, the error is still there. I am confused now.

@webbird
Copy link
Author

webbird commented Jul 24, 2014

Sorry, I mixed up old and new line. After changing that line in v1.0.4 to the old version - which is the one with 2x \v - the upload works again.
Also forgot to mention that I am working with Firefox 30 on Win7.

@ezyang
Copy link
Owner

ezyang commented Jul 24, 2014

I can guess the high-level problem: AJAX and file uploads are not working. (Can it be reproduced with ordinary AJAX?) Can you summarize your investigation in the various few comments? Some of it doesn't seem consistent with what I remember happening in the code. Note that 1.0.2 and 1.0.3 are incorrectly labeled in source as 1.0.1.

@webbird
Copy link
Author

webbird commented Jul 24, 2014

The solution that worked for me was to change line

if (window.XMLHttpRequest && window.XMLHttpRequest.prototype && '\v' != 'v') {

back to

if (window.XMLHttpRequest && window.XMLHttpRequest.prototype && '\v' != '\v') {

Sorry for confusion.

@ezyang
Copy link
Owner

ezyang commented Aug 22, 2014

Well, you're just turning off the version detection. But maybe this is a good clue

@webbird
Copy link
Author

webbird commented Aug 22, 2014

I am working with Firefox 31. Let me know if I can do something.

@netniV
Copy link

netniV commented Feb 23, 2020

Was this a problem after the json object fixes? I suspect not.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ezyang @webbird @netniV