[#16086] - PDFs (And other files) dont upload in Joomla 3.7.1
- Closed
- 18 May 2017
- Medium
- Build: staging
- # 16086
Placeholder issue to catch trending issues with Joomla 3.7.1 & incoming reports with regards to uploading issues due to new mime checks
If you are having an issue with PDFs (And other files) not uploading in Joomla 3.7.1 DONT start a new issue, post here,
Please provide a FULL file of your system information from the system information page of Joomla admin (Download as text)
Is there a bug with uploading PDF files through the Media Manager? I've tried it through Media Manager and the Ark Media Manager and neither will allow me to upload PDF files anymore.
3.7.1, php 7
Votes
| Labels |
Added:
?
|
||
Please check the allowed mine types as we now force to check on that.
I have application/pdf listed in the allowed MIME types. I could upload pdfs just fine before I upgraded to 7.1
please try your file against this checker: http://mime.ritey.com/ and told us the result.
File results
The MIME type for your file is: application/pdf
Do you not get that error when you try to upload pdfs zero?
I cannot replicate the problem, I can upload PDF's with Joomla 3.7.1 (out of the box install)
@freshlookweb Please provide a FULL file of your system information from the system information page of Joomla admin (Download as text) - and what is the full content of the Legal MIME Types box on this page on your site
/administrator/index.php?option=com_config&view=component&component=com_media
Having same issue with pdf files - checked all the settings ...only way i was able to get it to upload a pdf through Media Manager was
to either place pdf in the "ignored extensions" or turn off Check MIME Types..I do have "application/pdf" under Legal MIME Types.
Joomla was updated this morning and issue started.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16086.
systeminfo-2017-05-17T15-52-33+00-00.txt
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16086.
Please add application/octet-stream to the allowed mine types.
Please add application/octet-stream to the allowed mine types.
As a test, and then report back here if that works for you :)
Removed the pdf from ignored extensions - added application/octet-stream - tested uploading a pdf through Media Manager - Success!
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16086.
@tpaljr63 please try your file against this checker: http://mime.ritey.com/ and tell us the result.
File results
The MIME type for your file is: application/pdf
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16086.
ok found the problem.
it is about the ordering of the options to check. We should first check here: https://github.com/joomla/joomla-cms/blob/staging/libraries/cms/helper/media.php#L81 and than the other. Or implement some kind of checks for application/octet-stream so that in that case the other options are checked too.
I can do a PR when i'm back at home.
Questions: Why would adding the "application/octet-stream" to Legal MIME Types affect pdf upload in Media Manager since "application/pdf" was allowed already and is there a Security Risk adding "application/octet-stream" to the Legal MIME Types?
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16086.
Questions: Why would adding the "application/octet-stream" to Legal MIME Types affect pdf upload in Media Manager since "application/pdf" was allowed already and is there a Security Risk adding "application/octet-stream" to the Legal MIME Types?
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16086.
Thanks Zero and Phil
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16086.
@tpaljr63 actually is not Joomla but the server (apache I guess) that is missing some vital info (mimes): http://stackoverflow.com/questions/13847234/apache2-server-mime-types
actually is not Joomla but the server (apache I guess) that is missing some vital info (mimes):
saddly not http://php.net/manual/en/function.exif-imagetype.php can only detect image mimes. So it fails on PDF files or similiar and return the application/octet-stream.
Sorry for my ignorance...what is the solution? Do I have to add
application/octet-stream to all my websites or will there be a Joomla
update to fix this?
Eric Schuster
Fresh Look Web Design
757.646.7908
eric.schuster@freshlookwebdesign.com
www.freshlookwebdesign.com
On Wed, May 17, 2017 at 1:11 PM, zero-24 notifications@github.com wrote:
actually is not Joomla but the server (apache I guess) that is missing
some vital info (mimes):saddly not http://php.net/manual/en/function.exif-imagetype.php can only
detect image mimes. So it fails on PDF files or similiar and return the
application/octet-stream.—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#16086 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AbbZy5RaIMu19b23YnyLNUa24lOQnM-Rks5r6ypCgaJpZM4NeCo2
.
This will be looked at, and then a Pull Request made to fix this behaviour, and that, if tested, will make it into Joomla 3.7.2
| Status | New | ⇒ | Discussion |
| Category | ⇒ | com_media |
Thanks guys. With this bug, is it wise for me to delay upgrading all 60+ of
my websites to 7.1? Could I just wait for 3.7.2?
Eric Schuster
Fresh Look Web Design
757.646.7908
eric.schuster@freshlookwebdesign.com
www.freshlookwebdesign.com
On Wed, May 17, 2017 at 2:20 PM, Phil Taylor notifications@github.com
wrote:
This will be looked at, and then a Pull Request made to fix this
behaviour, and that, if tested, will make it into Joomla 3.7.2—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#16086 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AbbZy55ygInU3spl-0E7mXDNqNYA-od0ks5r6zp_gaJpZM4NeCo2
.
Hell no. You should have already upgraded ALL your site to Joomla 3.7.1 - it is a CRITICAL security release!
If you can risk getting hacked, feel free to delay upgrading to 3.7.1
| Status | Discussion | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2017-05-17 19:15:45 |
| Closed_By | ⇒ | zero-24 |
I would have said leave this open a day - so that we dont get a million and one issues all created - thats the point of starting a placeholder issue to gather everyones attention and prevent duplicates...
Its proven people dont search...
| Status | Closed | ⇒ | New |
| Closed_Date | 2017-05-17 19:15:45 | ⇒ | |
| Closed_By | zero-24 | ⇒ |
What just helped me with other uploads after 3.7.1.: Administrator > Content > Media > Options > Check MIME Types > No
THANKS!
Did you tested the Patch? What was the result?
THANKS!
Did you tested the Patch? What was the result?
No, I did not, too complex for me, I am afraid. Just thank you for explaining that my "fix" is dangerous. :-) Switching Check MIME Types > Yes. Cannot wait for new update.
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2017-05-18 05:15:33 |
| Closed_By | ⇒ | franz-wohlkoenig |
| Closed_By | franz-wohlkoenig | ⇒ | joomla-cms-bot |
Set to "closed" on behalf of @franz-wohlkoenig by The JTracker Application at issues.joomla.org/joomla-cms/16086
closed as having PR #16091
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16086.
I am stil having issues with this. Have updated to 3.72 running php 7.0.15.
systeminfo-2017-05-26T08_28_46-05_00.txt
@OrignlCin see #16238
Oke, now we are more then a year further in time, and still this problem is there. I have Joomla! 3.8.6 and can't upload a PDF. I have added application/octet-stream and even set the check mimetype to NO, but still the media manager keeps saying that it's a wrong image. Is there another solution?
I have no idea how the Joomla developers consider this CLOSED. But I can tell you a workaround acceptable to some non-technical content contributors:
If you use JCE, you can use the LINK editor function, which allows you to browse and upload a PDF to the very same area that was determined "illegal". Go figure. Hopefully they won't take this away. :D
This was closed as there is nothing else to fix in Joomla.
Check the mime type of the file you are uploading with the tool at http://mime.ritey.com/ - then decide if you are happy to whitelist that mime type, and if you are then whitelist it. Simple.
Out of the box the Joomla filter is set up to be secure. But its your site, so if you want to change the settings you can. No one is stopping you!
If, as you say, JCE Editor allows uploads were Joomla doesnt, this doesnt mean Joomla is wrong, what it probably means is Joomla is more secure, and JCE is not respecting your configured MIME Types - thus is probably less secure and allowing of uploads of insecure PDF files.
@uglyeoin I can confirm [the] assertion that adding application/octet-stream doesn't solve the issue.
Of course if your file doesnt have the mime type of application/octet-stream then that is correct - adding application/octet-stream will not solve your issue.
PDF's are notorious for being badly created by all kinds of apps. Although the P D F Format is well documented, it has many many different implementations, and PDF's can generate a lot of different mime types, from application/octet-stream to application/pdf to Unknown.
Furthermore if your server doesnt correctly determine the mime type then it can also fail to validate the mime type. This can happen if you have disabled functions in php, or not included all the required PHP extensions required for correct mime identification.
Check your PDF files with http://mime.ritey.com/ and see the different results.
Then check your server meets the requirements of Joomla.
yes as you said there is the topic of
- doing proper configuration
- (and) about having server with proper detection of mime ...
but the problem of @uglyeoin and @goforitweb
and of many others who result in using 3rd party media manager
is
- the false positives during the safety checks !!
Uploaded files are always treated as text even if they are binary
searching inside the file for
<?php
.php
.js
etc
The larger the file is the bigger chance you have a having a false positive
public static function upload($src, $dest, $use_streams = false, $allow_unsafe = false, $safeFileOptions = array())and JCE runs with $allow_unsafe = true
if (JFile::upload($src, $dest, $use_streams = false, $allow_unsafe = false)) {Relevant issues
#15563
#20618
and
#8197
zips are not uncompressed but still they are scanned as text files
pdf are not parsed as PDF but still they are scanned as text files
“This was closed as there is nothing else to fix in Joomla.” -- @PhilETaylor
I respectfully disagree. An application developer's job is to provide a solution – whether it be Media Manager or something else – as a means of uploading PDFs … unless you are saying that you are completely against PDFs being on a website at all. And if that’s the case, SAY IT! And while you're at it - tell people what content contributors should use as a document object/method instead. You're not leaving us with a solution or guidance. The threads here a read by few, and it's way down in the weeds.
Obviously JCE goes around Joomla’s methods because people wanted a way, and Joomla wanted us to be safe. While it may not be ideal, and may be true, JCE is a lot closer to a user-friendly method.
unless you are saying that you are completely against PDFs being on a website at all
Nobody's saying that. What is being said is that Joomla must be explicitly configured to support PDF uploads for various reasons and that we are not enabling this out-of-the-box. Extensions may be bypassing the Joomla upload checks, which is fine if they are doing their own checks. That's all it boils down to.
The absolute safest file upload method is to send the file to an authorized individual to perform a rudimentary virus scan and FTP upload. As a security measure, Joomla does not just arbitrarily allow any user to upload any file, there are checks in place to try and safely limit what kinds of files can be uploaded through the application since it cannot do an in-depth file scan like an offline scanner would to ensure you aren't uploading something malicious.
I said that's the safest, not that it would be the best option for everyone. File uploads are an inherent security risk in any application and if you're supporting them generally there should be explicit configuration about who can do them and what types of files are allowed (with appropriate server side checks before processing the upload). All I can do is say why we have our code set up in the way we do and why extensions which bypass those checks or other CMS' which don't make checks at all might be problematic down the road (not to say that any Joomla extension which bypasses the core upload processing is unsafe, they can be performing their own checks separately, I don't know the code of every extension and can't speak on it without proper audits).
I understand your point of view, i.e. of the developer. I really do. I used to be one many moons ago. :D
But you also know that DropBox still has ~45% of the market share with its shoddy security despite losing masssive amounts to its competitors. I won't even mention WP. Oops!
I think the happy medium here is to provide visible guidance (possibly in the Media Manager?) where content contributors learn and decide which route they want to take.
Leaving it up to the front line support people to do the unenviable task of explaining the almost-unexplainable is Chicken $hit. We're your promoters! Why hang us? Show the right way. Design a real solution and then market the difference!
PHP 7.0.1/Joomla 3.7.1