Support

Akeeba Ticket System

#26701 Upload of zip file fails

Posted in ‘Akeeba Ticket System for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Akeeba Ticket System version
n/a

Latest post by on Sunday, 08 January 2017 17:17 CST

Friday, 09 December 2016 03:37 CST

compstud
 I have found a matching ticket for my problem (#24534 – Cannot upload Attachment) so understand you are aware of the issue, well it is an issue for me, of users not being able to upload ticket attachments that are zip files that contain php files. I regularly require users to send me code (php, ini, xml) in zip files as it helps to debug what they have done with the component generator I provide.

I understand the cause of this is the Joomla IsSafeFile checking in the Joomla core file libraries. This is really a request at some point for a change to Akeeba Ticket System to add a configuration parameter to allow optional override of this behavior by adding the necessary parameters to ATS JFile:upload call. Naturally for most users of ATS this may not be an issue so the default would be to prevent such uploads. In my case I understand the security risks and so all my users of ATS have to be registered Joomla users that have paid a subscription.

Even if you do not think the configuration parameter is something you will implement, it would be useful if something actually caught and displayed the exception you throw of 'COM_ATS_ATTACHMENTS_ERR_CANTJFILEUPLOAD' when the JFile::upload fails in your Attachments model. This currently does not seem to happen as no error message is displayed.

Thanks

Friday, 09 December 2016 03:58 CST

nicholas
I understand the problem all too well. It was on the long tail of my to-do list as I didn't think it affected anyone except our site and we know how to get our clients to give us the information we need without going through the ATS attachments system. I'll bump it up to the top of the list and try to address it for the release I'm planning for later today.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 09 December 2016 05:24 CST

compstud
Thanks for the prompt response. Like you I find other ways to get the zip files. It is more that my users think they have sent something and sometimes they have attached it. Quite often they have just forgotten to attach the file!

Great to see it in ATS but not that desparately urgent so as long it is scheduled for inclusion sometime soon I can work around it.

Friday, 09 December 2016 06:20 CST

nicholas
I did some further digging into this. When the upload fails because Joomla! rejects the file type or there is a file handling error (e.g. unwriteable uploads or destination directory) there is no problem, we do catch that error and report it. However, when the file contents are rejected Joomla! doesn't trigger an exception. This makes perfect sense since Joomla! doesn't want to break existing components. However, for me as a developer, there is no indication that the attachment got blocked. From my vantage point I simply see no attachments having been posted.

The only thing we could possibly do is add a component Options parameter to allow unsafe uploads. Even then, if you are using a security product like Admin Tools or RSFirewall you could still get a failure to upload these ZIP files because the security extension is catching them. Even if that doesn't happen lots of hosts will do file scanning which would delete the uploaded file. That would cause an error trying to download it.

I will add this option just for completeness' sake but I still think that the best way to receive unsafe attachments is asking the client to upload to Dropbox, OneDrive or Google Drive and paste the public link to the ticket. The unsafe attachment will definitely make it to these services and it's not stored on your site.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Sunday, 08 January 2017 17:17 CST

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.
Edited by on 2017-01-08 17:17 CST

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!