Jump to content

Module: Jquery File Upload


kongondo

Recommended Posts

  • 9 months later...

Security Report: FYI

TL;DR: Our module does not use the vulnerable PHP files. We are OK; nothing to see here ?.

You might have come across reports that Blueimp jQuery File Upload on which the module JqueryFileUpload is based had some vulnerabilities that had gone undetected for 8 years! The vulnerabilities, that have since been fixed, had to do with the  server-side application examples that ship with Blueimp jQuery File Upload, specifically the two PHP files Upload.php and UploadHandler.php. Our ProcessWire JqueryFileUpload module is not in any way affected by the vulnerability. Here's why:

  1. We don't use Upload.php and UploadHandler.php nor any server-side samples that might ship with Blueimp jQuery File Upload. We use ProcessWire's WireUpload Class instead.
  2. We don't ship our module with these files.
  3. We use Blueimp jQuery File Upload purely for its client-side upload capabilities (only the JavaScript).
  4. Blueimp jQuery File Upload aside, we operate a very tight ship with our module. These include:
    1. Not everyone can upload files. That decision is left to the developer.
    2. All files are validated for both MIME types and file extensions.
    3. Only extensions specified by  admin are allowed to go through to validation.
    4. All uploads are stored in a temporary folder pending validation. The location of the temporary folder is configurable. One can set either a web-accessible folder (e.g. in cases where one wants to show thumbnails of uploaded images) or a hidden one.
    5. All actions sent from client-side are validated against settings stored server-side. For instance, uploading, listing and deleting files. So, changing a JSON setting sent to the module client-side has no effect server-side.
    6. We use CSRF.
    7. Etc...

Here are the relevant links to the above mentioned (but now fixed) exploits.

In conclusion, this is just for your information, in case you were wondering or came across it. We are not affected and we didn't have to patch anything. Having said that, as per our OP, we urge all developers who use this module to exercise best practices to secure their applications.

Edited by kongondo
typos
  • Like 5
Link to comment
Share on other sites

  • 3 months later...

Update: Jquery File Upload Version 0.0.7.

 

As of today and this version onward, ONLY ProcessWire 3.x is supported.

 

Changelog

  1. Added option to unzip uploaded ZIP archives (works only in PW backend {hence custom modules}).
  2. Refreshed upload widget look and style.
  3. Added support for so-called 'Upload Anywhere' (no documentation currently, sorry. Basically this means you can use a whole page a files' dropzone).

For those who care, this means Media Manager's release is imminent ?

 

Screenshots

 

jfu-ver-007-001.thumb.png.ed8a66e4923bda84bcabed17b9c9d8c8.png

 

jfu-ver-007-002.thumb.png.8df0b06b6c25d509669b1350919f7757.png

Thanks!

Edited by kongondo
note about PW 3 support only
  • Like 3
Link to comment
Share on other sites

  • 1 month later...

Thanks for this great module!

I had a problem with my live server, it didn't allowed pdf to be uploaded, and the script fired the message "filetype not allowed". If anyone encounters this problem, the solution is to go on the server settings and tick the "fileinfo" extention in the PHP settings.

Link to comment
Share on other sites

  • 2 weeks later...

Hello again,

Has anyone tried to add a file description to the file? I want to mantain the original filename with spaces, capital and special characters, if so I could add them to the file->description and display on the template the description instead of the filename. Is this something at all possible?

Link to comment
Share on other sites

On 4/19/2019 at 10:25 AM, palacios000 said:

Has anyone tried to add a file description to the file? I want to mantain the original filename with spaces, capital and special characters, if so I could add them to the file->description and display on the template the description instead of the filename. Is this something at all possible?

I don't quite understand. Do you mean you want to save the non-sanitised file name as a description rather than adding a description to the file later yourself?

Link to comment
Share on other sites

Hi! I'd like to keep the original file name. After upload the new sanitised name is not as human-friendly as the original file saved by client on his PC, this is why I was thinking to keep the original name somehow and save it on the file description. In my very modest opinion, this is somthing quite complicated to do, but maybe there is an easy solution.

 

Link to comment
Share on other sites

2 hours ago, palacios000 said:

Hi! I'd like to keep the original file name. After upload the new sanitised name is not as human-friendly as the original file saved by client on his PC, this is why I was thinking to keep the original name somehow and save it on the file description. In my very modest opinion, this is somthing quite complicated to do, but maybe there is an easy solution.

 

Maybe if you could explain your use case a bit more. What do you do with the uploaded file? If you are adding it to a ProcessWire Page, ProcessWire will not allow you to have your 'human-friendly' file name ?. It will be sanitised. I am guessing that is why you wanted to save the original file name in the description?

Secondly, who is uploading the files? The general public? Registered users? Site editors? 

Link to comment
Share on other sites

Yes you guessed right: registered user uploads pdfs on a PW page, which is then rendered like a "folder" and all files are displayed as a list, where the user can browse them... I'm able to make the list neater with some "str_replace" but still it won't be the same as it should.

I thought of writing the original file names on a txt file in the same temporary folder where files are saved, or into the session, and with some logic then add the content of the text file on each file->description field, but at the moment it's too complicated for me! Or maybe this could be a feature for the next released version ?. Thanks again for this great module anyway!

Link to comment
Share on other sites

  • 7 months later...

Thank you sooo much for this!! Truly super helpful, I've been trying to implement that precise script for two days, since I didn't know you had already done it, and failed! ?

thanks! ?

I do however have a few questions O:) 

I've been playing around with the config options but can't quite get the script to do what I want,
 I currently have:

$options = array(
	'showUploaded' => true,
	'uploadsDeletable' => true,
	'showUploaded' => true,
	'setMaxFiles' => 9999,
	'setOverwrite' => false,
);

But after the upload the script doens't show the files I uploaded, Nor do I see links to the files opening in a Gallery.
Also I've not managed to upload more than 50 files at once, the rest of the upload seems to just get dropped.

What settings would I have to use to:
- See the images already in the folder
- See the images after uploading with link to open them in a gallery?
- Actually upload 9999 files?

Thanks in advance! ?

  • Like 1
Link to comment
Share on other sites

  • 6 months later...
1 hour ago, ildarvasin said:

Is it possible to receive notifications in the administrative version of the processwire when user upload a file?

No, sorry. You'd have to code that yourself. 

What's your use case?

Welcome to the forums ? 

  • Like 1
Link to comment
Share on other sites

I want to do 2 things:
- clear the list of selected files when closing the module window;
- add closing the window, after downloading all the files at once.

But your code is quite difficult to understand at my level and I don’t understand where exactly the button press of the forms is processed.

p.s. I apologize if I do not make myself clear, because I am Russian-speaking.

Link to comment
Share on other sites

22 hours ago, ildarvasin said:

I want to do 2 things:
- clear the list of selected files when closing the module window;
- add closing the window, after downloading all the files at once.

This module has no window and does not open any modal. It's still not clear to me how you are using it. I am thinking maybe you are trying to use the module in your own module? Or in the ProcessWire admin? If I could get a bit more information about this and/or a diagram/drawing (or even an animated GIF), that would help.

  • Thanks 1
Link to comment
Share on other sites

indeed, you are correct that your module was crammed into a separate block. The previous questions have disappeared.

Can I define my own file formats? You need to download 'doc, docx'. The rest so as not to even offer to saving.
as with mp3, txt

Spoiler

image.thumb.png.0e6c44106d06f361b144c3d98715ca7b.png


the following options, as I understand it, need to be set.
 

Spoiler

'acceptFileTypes' => 'doc docx',
allowedImageMimeTypes' => array(application/doc),
'commonImageExts' => array('doc', 'docx'),

the following options, as I understand it, need to be set. But the save button still appears in such formats as: .xls, .jpg, .png, .zip, .iso, pdf.
if you save the files, then all the allowed formats appear in the folder, but I would like to get rid of the button for unauthorized formats

Link to comment
Share on other sites

  • 6 months later...
  • 7 months later...

Hey Guys,

I've tried the module and it works well ? All the files are uploaded very quickly! So thanks you for that! ? However I can't seem to manage to get
the module to behave the way it does in your examples. I've used the frontend scripts from the examples, they are unedited and original.
At first the area where selected images would show after being selected is already visible,
when I open the page. After the images are uploaded I never get to see them. Also it doesn't show images that are already uploaded to the directory.
I check the user privileges of the folder being used and they all have 755 access, so that shouldn't be the problem? I also tried with a custom folder

/templates but with the same result.

729774837_Schermafbeelding2021-09-13om11_14_57.thumb.png.df8787c0865b4e37eb3686bbaf231577.png


Also when I set:

		'enableDropZone' => 1,// render a drop zone where files could be uploaded via 'dropping'

to "0" the dropzone just stays visible in a a slightly different way.
1678057665_Schermafbeelding2021-09-13om11_21_10.thumb.png.33339344d270febd14574f4d16bfa4b3.png


I feel like it's not fully working, How can I check / improve it's functoinality to make sure these features work like they are supposed to? ?
I would like it to look and work like this example does: Just a select button and showing uploaded files :)

https://blueimp.github.io/jQuery-File-Upload/


Thanks in advance!

Bram

Link to comment
Share on other sites

  • 1 year later...
12 hours ago, gebeer said:

Referring to your post in Media Manager thread, do you think that JqueryFileupload will receive further updates?

No, unless security related. With respect to MM, I am moving to use an in-house htmx-alpine-js-tailwind-css solution.

12 hours ago, gebeer said:

Just asking so I can decide whether I should fork it and potentially make PRs. 

Most welcome.  I'd certainly look at PRs. Thanks!

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...