-
-
Notifications
You must be signed in to change notification settings - Fork 542
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Download File/Image returns zero-length data #129
Comments
I've just tested on 2 systems: The 1st is a wampp server on Windows and the other Ubuntu 11.04. Can you check what happens if "upload" folder has 0777 rights? |
Hey Nils, I tried again and changed the permissions on the folder as well as the files to 0777 - unfortunately, I am still downloading empty files. Since uploading and pretty much everything else works just fine, I do not think that this problem boils down to an installation issue ... However the attached txt-file will be downloaded somewhat differently. If I try to download an attached text file, the following link is used in the frontend (returns zero-length content): However, when trying to access the text-file the same way I can accessed the jpeg, the text-file will be downloadable: Well, while is a workaround I still wonder about security - is it by design, that the content of the upload folder is directly accessible and if so, why? (Or have I just screwed the security model by messing with chmod?) Best, |
I'll take time to analyze why you are facing this issue. Concerning security, sure it is better to put the "upload" folder beyond the "www" folder so that it is not accessible from "external". There has been some discussions about this specific point. I've not found time to propose a native solution because actually mainly users are using the tool inside their local domain with no external access. But I've planned to do a simple change for next release that consists in adding a setting for "path to upload folder". This will permit an experimented webmaster to define a protected folder. But in that case, he will have to define also the redirection rules on the server. Cheers |
That sounds great! If I can help somehow, please let me know ... Best, |
BTW: Here is my five cents regarding the attachments: wouldn't it be even better to store the attachments in the database? I wouldn't expect the files to be extraordinary large so that size isn't an issue. However, when going down that road, make sure to create an 1:n relationship to the new table (teampass_files_data table) that is lazily loaded. |
Thank you for the suggestion. I didn't think about it because focusing on files, but sure you are right, this could be a very good solution. |
Incidentally I'm having this issue too, I've not managed to find what the issue is yet. My server is pretty much the same as Ben's setup, Debian Squeeze with Apache and PHP 5.3 |
@niallfleming: Welcome to the Club ;) |
I had the same issue when downloading files uploaded in the files tab of a key. possibly related two identical other error lines with each file download: Hopefully this helps. Edit: I accidently a word. |
Added a new field for Path and URL for Upload in 2.1.9 I'll add to relase 2.2, the storage in database. |
Nils, that sounds great. Thx! |
The upload to the database will be a great feature. Nils, thanks for the work and for this great tool |
You're welcome ;-) 2.2 should be ready for end of this year (December 2012). ----- Mail original ----- The upload to the database will be a great feature. Nils, thanks for the work and for this great tool — |
Well, it seems that this issue is still not fixed as of version that is currently available in Git repo. It could be "fixed" by adding:
into downloadFile.php right before the readfile() call. But looking at the downloadFile.php code makes me fear about having THAT insecure software installed on the server - and by "that insecure" I mean TeamPass. Using unfiltered user input in filesystem-related operations is extremely dangerous. One could easily fetch any file from server apache user has access to by passing required filename in "sub" and terminating it with zero byte. readfile would simply ignore rest of the string and attacker would be able to read any file he/she wants, including settings.php and other important files that should be kept secure. |
Problem:
When trying to download "Files & Images" which have been attached to an item, one receives an empty file (zero-content length).
Affected Version:
2.1.7 (2.1.8)
System-Info:
Checked:
-> chmod www-data:www-data ./upload/*
-> chmod 0644 ./upload/*
Best,
Ben.
The text was updated successfully, but these errors were encountered: