This forum is no longer open and is for reading/searching only.
Please use our new MachForm Community Forum instead.
MachForm Community Forums » MachForm 4
Logo not uploading
Started 10 years ago by MichaelWheeler | 10 posts |
-
The error I get is:
Unable to write into data folder! (./data/themes/images){"status":"error","message":"Unable to move file!"}The path is not correct in that error message as I have moved that folder for security reasons. The permissions allow write access.
Posted 10 years ago # -
I forgot to mention that I did change the setting for the "File Upload Folder" under the advanced settings in the MachForm admin web interface.
Posted 10 years ago # -
Here's the relevant snippet from the php error log:
[21-May-2014 10:25:16 America/Chicago] PHP Warning: mkdir(): No such file or directory in /top/www/machform/upload_theme_images.php on line 44
[21-May-2014 10:26:29 America/Chicago] PHP Warning: mkdir(): No such file or directory in /top/www/machform/upload_theme_images.php on line 44
[21-May-2014 10:26:29 America/Chicago] PHP Warning: move_uploaded_file(./data/themes/images/img_055ce9c65d45c68a15525a2953fffbb2-Amie and Noah IMG_6563.jpg): failed to open stream: No such file or directory in /top/www/machform/upload_theme_images.php on line 82
[21-May-2014 10:26:29 America/Chicago] PHP Warning: move_uploaded_file(): Unable to move '/tmp/phpLH1TGh' to './data/themes/images/img_055ce9c65d45c68a15525a2953fffbb2-Amie and Noah IMG_6563.jpg' in /top/www/machform/upload_theme_images.php on line 82
[21-May-2014 10:27:04 America/Chicago] PHP Warning: mkdir(): No such file or directory in /top/www/machform/upload_theme_images.php on line 44Posted 10 years ago # -
On a hunch I took a look at the settings in the database and discovered that while the "upload_dir" field showed the correct location the "data_dir" field still had the old "./data" value.
I manually modified the "data_dir" field to match the "upload_dir" field and the upload worked however, the img link in the resulting html had an invalid path to the image.
As I understand it wouldn't it be necessary for the PHP code to read the image and send it directly to the browser for it to work since the image file is now located in a path not directly accessible via an URI?
Here's a link that talks about a similar issue and provides example PHP coded solution.
http://stackoverflow.com/questions/258365/php-link-to-image-file-outside-default-web-directory
For security reasons a web directory that allows upload should not be directly accessible in a web browser via an URI. This seems like both a security issue and also a bug in that the "data_dir" field did not get updated along with the "upload_dir" field in the database.
Am I missing something? Please help.
Posted 10 years ago # -
If you need more immediate assistance, suggest you log a help ticket - Appnitro wont' always be monitoring this forum.
Send them your request here: http://www.appnitro.com/contact
Posted 10 years ago # -
For security reason, it's best to set the "File Upload Folder" to a folder outside your document root indeed.
However, you need to change this setting BEFORE creating your forms, so that MachForm will be able to create the file upload folders within your new folder.If you changed the "File Upload Folder" setting AFTER creating your forms, there are few things need to be done.
First, you need to copy the content of the entire "data" folder to your new file upload folder. Once you copied all the folders, you can then safely delete all folders named "files" under your "data" folder.Also, make sure to provide a full folder path to your "File Upload Folder" setting. Don't use relative path.
If the problem persist, please contact us directly and let us know your MachForm login info.
We'll check it.MachForm Founder
Posted 10 years ago # -
Does the original data folder have to remain in place after doing the steps above?
Posted 10 years ago # -
I moved (linux mv command) the data folder outside of the root so all of the data present would still exist in the new location. So there is no data folder in the old location. Is that a problem?
Posted 10 years ago # -
You need to create the "data" folder again in the old location and create "data/images/themes" folder as well, since the logo will always being stored there.
MachForm Founder
Posted 10 years ago # -
So with the way your PHP code is currently written the server is still vulnerable due to directories with writeable permissions in the public root even though the upload directory would be "safe." The data directory is still open to compromise if someone finds an exploit for apache or PHP that would allow them to write files they would now have access to a fully writeable folder that is in the public html root. That is a serious security concern and one that could be avoided if your code could be written to send the CSS and images back to the client browser directly instead of requiring them to be in the public html directories.
The only protection your current method provides is from one of my own machform users uploading malicious code when editing a theme. It does nothing to address the real problem from outside hackers that if they gain access will have full write access to public html folders.
If there are no publicly writeable folders and a hacker compromises apache then there is not much he can do other than just look around at files to which apache has access.
Posted 10 years ago #
Reply
You must log in to post.