Jump to content
kongondo

Module: Jquery File Upload

Recommended Posts

50 minutes ago, huhabab said:

Thank you, the error was on my part, changed the options before rendering the module. (...)

Glad you sorted it out.

Share this post


Link to post
Share on other sites

Security Report: FYI

TL;DR: Our module does not use the vulnerable PHP files. We are OK; nothing to see here 🙂.

You might have come across reports that Blueimp jQuery File Upload on which the module JqueryFileUpload is based had some vulnerabilities that had gone undetected for 8 years! The vulnerabilities, that have since been fixed, had to do with the  server-side application examples that ship with Blueimp jQuery File Upload, specifically the two PHP files Upload.php and UploadHandler.php. Our ProcessWire JqueryFileUpload module is not in any way affected by the vulnerability. Here's why:

  1. We don't use Upload.php and UploadHandler.php nor any server-side samples that might ship with Blueimp jQuery File Upload. We use ProcessWire's WireUpload Class instead.
  2. We don't ship our module with these files.
  3. We use Blueimp jQuery File Upload purely for its client-side upload capabilities (only the JavaScript).
  4. Blueimp jQuery File Upload aside, we operate a very tight ship with our module. These include:
    1. Not everyone can upload files. That decision is left to the developer.
    2. All files are validated for both MIME types and file extensions.
    3. Only extensions specified by  admin are allowed to go through to validation.
    4. All uploads are stored in a temporary folder pending validation. The location of the temporary folder is configurable. One can set either a web-accessible folder (e.g. in cases where one wants to show thumbnails of uploaded images) or a hidden one.
    5. All actions sent from client-side are validated against settings stored server-side. For instance, uploading, listing and deleting files. So, changing a JSON setting sent to the module client-side has no effect server-side.
    6. We use CSRF.
    7. Etc...

Here are the relevant links to the above mentioned (but now fixed) exploits.

In conclusion, this is just for your information, in case you were wondering or came across it. We are not affected and we didn't have to patch anything. Having said that, as per our OP, we urge all developers who use this module to exercise best practices to secure their applications.

Edited by kongondo
typos
  • Like 5

Share this post


Link to post
Share on other sites

Thank you @kongondo for this information.

That  shows the exemplary security awareness of @ryan in all his work! One of the reasons that makes us glad using PW...

  • Like 1

Share this post


Link to post
Share on other sites
On 11/28/2018 at 10:57 AM, ottogal said:

That  shows the exemplary security awareness of...

... Kongondo too 😉 

  • Like 2

Share this post


Link to post
Share on other sites

Update: Jquery File Upload Version 0.0.7.

 

As of today and this version onward, ONLY ProcessWire 3.x is supported.

 

Changelog

  1. Added option to unzip uploaded ZIP archives (works only in PW backend {hence custom modules}).
  2. Refreshed upload widget look and style.
  3. Added support for so-called 'Upload Anywhere' (no documentation currently, sorry. Basically this means you can use a whole page a files' dropzone).

For those who care, this means Media Manager's release is imminent 🙂

 

Screenshots

 

jfu-ver-007-001.thumb.png.ed8a66e4923bda84bcabed17b9c9d8c8.png

 

jfu-ver-007-002.thumb.png.8df0b06b6c25d509669b1350919f7757.png

Thanks!

Edited by kongondo
note about PW 3 support only
  • Like 3

Share this post


Link to post
Share on other sites

Thanks for this great module!

I had a problem with my live server, it didn't allowed pdf to be uploaded, and the script fired the message "filetype not allowed". If anyone encounters this problem, the solution is to go on the server settings and tick the "fileinfo" extention in the PHP settings.

Share this post


Link to post
Share on other sites

Hello again,

Has anyone tried to add a file description to the file? I want to mantain the original filename with spaces, capital and special characters, if so I could add them to the file->description and display on the template the description instead of the filename. Is this something at all possible?

Share this post


Link to post
Share on other sites
On 4/19/2019 at 10:25 AM, palacios000 said:

Has anyone tried to add a file description to the file? I want to mantain the original filename with spaces, capital and special characters, if so I could add them to the file->description and display on the template the description instead of the filename. Is this something at all possible?

I don't quite understand. Do you mean you want to save the non-sanitised file name as a description rather than adding a description to the file later yourself?

Share this post


Link to post
Share on other sites

Hi! I'd like to keep the original file name. After upload the new sanitised name is not as human-friendly as the original file saved by client on his PC, this is why I was thinking to keep the original name somehow and save it on the file description. In my very modest opinion, this is somthing quite complicated to do, but maybe there is an easy solution.

 

Share this post


Link to post
Share on other sites
2 hours ago, palacios000 said:

Hi! I'd like to keep the original file name. After upload the new sanitised name is not as human-friendly as the original file saved by client on his PC, this is why I was thinking to keep the original name somehow and save it on the file description. In my very modest opinion, this is somthing quite complicated to do, but maybe there is an easy solution.

 

Maybe if you could explain your use case a bit more. What do you do with the uploaded file? If you are adding it to a ProcessWire Page, ProcessWire will not allow you to have your 'human-friendly' file name 😀. It will be sanitised. I am guessing that is why you wanted to save the original file name in the description?

Secondly, who is uploading the files? The general public? Registered users? Site editors? 

Share this post


Link to post
Share on other sites

Yes you guessed right: registered user uploads pdfs on a PW page, which is then rendered like a "folder" and all files are displayed as a list, where the user can browse them... I'm able to make the list neater with some "str_replace" but still it won't be the same as it should.

I thought of writing the original file names on a txt file in the same temporary folder where files are saved, or into the session, and with some logic then add the content of the text file on each file->description field, but at the moment it's too complicated for me! Or maybe this could be a feature for the next released version 😎. Thanks again for this great module anyway!

Share this post


Link to post
Share on other sites

Thank you sooo much for this!! Truly super helpful, I've been trying to implement that precise script for two days, since I didn't know you had already done it, and failed! 😢

thanks! 🙂

I do however have a few questions O:) 

I've been playing around with the config options but can't quite get the script to do what I want,
 I currently have:

$options = array(
	'showUploaded' => true,
	'uploadsDeletable' => true,
	'showUploaded' => true,
	'setMaxFiles' => 9999,
	'setOverwrite' => false,
);

But after the upload the script doens't show the files I uploaded, Nor do I see links to the files opening in a Gallery.
Also I've not managed to upload more than 50 files at once, the rest of the upload seems to just get dropped.

What settings would I have to use to:
- See the images already in the folder
- See the images after uploading with link to open them in a gallery?
- Actually upload 9999 files?

Thanks in advance! 🙂

  • Like 1

Share this post


Link to post
Share on other sites
Is it possible to receive notifications in the administrative version of the processwire when user upload a file?

Share this post


Link to post
Share on other sites
1 hour ago, ildarvasin said:

Is it possible to receive notifications in the administrative version of the processwire when user upload a file?

No, sorry. You'd have to code that yourself. 

What's your use case?

Welcome to the forums 😄 

  • Like 1

Share this post


Link to post
Share on other sites
4 hours ago, ildarvasin said:

where the file upload button is processed?

I don't understand the question, I am afraid. Please explain.

Share this post


Link to post
Share on other sites

I want to do 2 things:
- clear the list of selected files when closing the module window;
- add closing the window, after downloading all the files at once.

But your code is quite difficult to understand at my level and I don’t understand where exactly the button press of the forms is processed.

p.s. I apologize if I do not make myself clear, because I am Russian-speaking.

Share this post


Link to post
Share on other sites
22 hours ago, ildarvasin said:

I want to do 2 things:
- clear the list of selected files when closing the module window;
- add closing the window, after downloading all the files at once.

This module has no window and does not open any modal. It's still not clear to me how you are using it. I am thinking maybe you are trying to use the module in your own module? Or in the ProcessWire admin? If I could get a bit more information about this and/or a diagram/drawing (or even an animated GIF), that would help.

  • Thanks 1

Share this post


Link to post
Share on other sites

indeed, you are correct that your module was crammed into a separate block. The previous questions have disappeared.

Can I define my own file formats? You need to download 'doc, docx'. The rest so as not to even offer to saving.
as with mp3, txt

Spoiler

image.thumb.png.0e6c44106d06f361b144c3d98715ca7b.png


the following options, as I understand it, need to be set.
 

Spoiler

'acceptFileTypes' => 'doc docx',
allowedImageMimeTypes' => array(application/doc),
'commonImageExts' => array('doc', 'docx'),

the following options, as I understand it, need to be set. But the save button still appears in such formats as: .xls, .jpg, .png, .zip, .iso, pdf.
if you save the files, then all the allowed formats appear in the folder, but I would like to get rid of the button for unauthorized formats

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   1 member

  • Similar Content

    • By teppo
      Needed a really simple solution to embed audio files within page content and couldn't find a module for that, so here we go. Textformatter Audio Embed works a bit like Textformatter Video Embed, converting this:
      <p>https://www.domain.tld/path/to/file.mp3</p> Into this:
      <audio controls class="TextformatterAudioEmbed"> <source src="https://www.domain.tld/path/to/file.mp3" type="audio/mpeg"> </audio> The audio element has pretty good browser support, so quite often this should be enough to get things rolling 🙂
      GitHub repository: https://github.com/teppokoivula/TextformatterAudioEmbed Modules directory: https://modules.processwire.com/modules/textformatter-audio-embed/
    • By Richard Jedlička
      Tense    
      Tense (Test ENvironment Setup & Execution) is a command-line tool to easily run tests agains multiple versions of ProcessWire CMF.
      Are you building a module, or a template and you need to make sure it works in all supported ProcessWire versions? Then Tense is exactly what you need. Write the tests in any testing framework, tell Tense which ProcessWire versions you are interested in and it will do the rest for you.

      See example or see usage in a real project.
      How to use?
      1. Install it: 
      composer global require uiii/tense 2. Create tense.yml config:
      tense init 3. Run it:
      tense run  
      For detailed instructions see Github page: https://github.com/uiii/tense
       
      This is made possible thanks to the great wireshell tool by @justb3a, @marcus and others.
       
      What do you think about it? Do you find it useful? Do you have some idea? Did you find some bug? Tell me you opinion. Write it here or in the issue tracker.
    • By Chris Bennett
      Hi all, I am going round and round in circles and would greatly appreciate if anyone can point me in the right direction.
      I am sure I am doing something dumb, or missing something I should know, but don't. Story of my life 😉

      Playing round with a module and my basic problem is I want to upload an image and also use InputfieldMarkup and other Inputfields.
      Going back and forth between trying an api generated page defining Fieldgroup, Template, Fields, Page and the InputfieldWrapper method.

      InputfieldWrapper method works great for all the markup stuff, but I just can't wrap my head around what I need to do to save the image to the database.
      Can generate a Field for it (thanks to the api investigations) but not sure what I need to do to link the Inputfield to that. Tried a lot of stuff from various threads, of varying dates without luck.
      Undoubtedly not helped by me not knowing enough.

      Defining Fieldgroup etc through the api seems nice and clean and works great for the images but I can't wrap my head around how/if I can add/append/hook the InputfieldWrapper/InputfieldMarkup stuff I'd like to include on that template as well. Not even sure if it should be where it is on ___install with the Fieldtype stuff or later on . Not getting Tracy errors, just nothing seems to happen.
      If anyone has any ideas or can point me in the right direction, that would be great because at the moment I am stumbling round in the dark.
       
      public function ___install() { parent::___install(); $page = $this->pages->get('name='.self::PAGE_NAME); if (!$page->id) { // Create fieldgroup, template, fields and page // Create new fieldgroup $fmFieldgroup = new Fieldgroup(); $fmFieldgroup->name = MODULE_NAME.'-fieldgroup'; $fmFieldgroup->add($this->fields->get('title')); // needed title field $fmFieldgroup->save(); // Create new template using the fieldgroup $fmTemplate = new Template(); $fmTemplate->name = MODULE_NAME; $fmTemplate->fieldgroup = $fmFieldgroup; $fmTemplate->noSettings = 1; $fmTemplate->noChildren = 1; $fmTemplate->allowNewPages = 0; $fmTemplate->tabContent = MODULE_NAME; $fmTemplate->noChangeTemplate = 1; $fmTemplate->setIcon(ICON); $fmTemplate->save(); // Favicon source $fmField = new Field(); $fmField->type = $this->modules->get("FieldtypeImage"); $fmField->name = 'fmFavicon'; $fmField->label = 'Favicon'; $fmField->focusMode = 'off'; $fmField->gridMode = 'grid'; $fmField->extensions = 'svg png'; $fmField->columnWidth = 50; $fmField->collapsed = Inputfield::collapsedNever; $fmField->setIcon(ICON); $fmField->addTag(MODULE_NAME); $fmField->save(); $fmFieldgroup->add($fmField); // Favicon Silhouette source $fmField = new Field(); $fmField->type = $this->modules->get("FieldtypeImage"); $fmField->name = 'fmFaviconSilhouette'; $fmField->label = 'SVG Silhouette'; $fmField->notes = 'When creating a silhouette/mask svg version for Safari Pinned Tabs and Windows Tiles, we recommend setting your viewbox for 0 0 16 16, as this is what Apple requires. In many cases, the easiest way to do this in something like illustrator is a sacrificial rectangle with no fill, and no stroke at 16 x 16. This forces the desired viewbox and can then be discarded easily using something as simple as notepad. Easy is good, especially when you get the result you want without a lot of hassle.'; $fmField->focusMode = 'off'; $fmField->extensions = 'svg'; $fmField->columnWidth = 50; $fmField->collapsed = Inputfield::collapsedNever; $fmField->setIcon(ICON); $fmField->addTag(MODULE_NAME); $fmField->save(); $fmFieldgroup->add($fmField); // Create: Open Settings Tab $tabOpener = new Field(); $tabOpener->type = new FieldtypeFieldsetTabOpen(); $tabOpener->name = 'fmTab1'; $tabOpener->label = "Favicon Settings"; $tabOpener->collapsed = Inputfield::collapsedNever; $tabOpener->addTag(MODULE_NAME); $tabOpener->save(); // Create: Close Settings Tab $tabCloser = new Field(); $tabCloser->type = new FieldtypeFieldsetClose; $tabCloser->name = 'fmTab1' . FieldtypeFieldsetTabOpen::fieldsetCloseIdentifier; $tabCloser->label = "Close open tab"; $tabCloser->addTag(MODULE_NAME); $tabCloser->save(); // Create: Opens wrapper for Favicon Folder Name $filesOpener = new Field(); $filesOpener->type = new FieldtypeFieldsetOpen(); $filesOpener->name = 'fmOpenFolderName'; $filesOpener->label = 'Wrap Folder Name'; $filesOpener->class = 'inline'; $filesOpener->collapsed = Inputfield::collapsedNever; $filesOpener->addTag(MODULE_NAME); $filesOpener->save(); // Create: Close wrapper for Favicon Folder Name $filesCloser = new Field(); $filesCloser->type = new FieldtypeFieldsetClose(); $filesCloser->name = 'fmOpenFolderName' . FieldtypeFieldsetOpen::fieldsetCloseIdentifier; $filesCloser->label = "Close open fieldset"; $filesCloser->addTag(MODULE_NAME); $filesCloser->save(); // Create Favicon Folder Name $fmField = new Field(); $fmField->type = $this->modules->get("FieldtypeText"); $fmField->name = 'folderName'; $fmField->label = 'Favicon Folder:'; $fmField->description = $this->config->urls->files; $fmField->placeholder = 'Destination Folder for your generated favicons, webmanifest and browserconfig'; $fmField->columnWidth = 100; $fmField->collapsed = Inputfield::collapsedNever; $fmField->setIcon('folder'); $fmField->addTag(MODULE_NAME); $fmField->save(); $fmFieldgroup->add($tabOpener); $fmFieldgroup->add($filesOpener); $fmFieldgroup->add($fmField); $fmFieldgroup->add($filesCloser); $fmFieldgroup->add($tabCloser); $fmFieldgroup->save(); /////////////////////////////////////////////////////////////// // Experimental Markup Tests $wrapperFaviconMagic = new InputfieldWrapper(); $wrapperFaviconMagic->attr('id','faviconMagicWrapper'); $wrapperFaviconMagic->attr('title',$this->_('Favicon Magic')); // field show info what $field = $this->modules->get('InputfieldMarkup'); $field->name = 'use'; $field->label = __('How do I use it?'); $field->collapsed = Inputfield::collapsedNever; $field->icon('info'); $field->attr('value', 'Does this even begin to vaguely work?'); $field->columnWidth = 50; $wrapperFaviconMagic->add($field); $fmTemplate->fields->add($wrapperFaviconMagic); $fmTemplate->fields->save(); ///////////////////////////////////////////////////////////// // Create page $page = $this->wire( new Page() ); $page->template = MODULE_NAME; $page->parent = $this->wire('pages')->get('/'); $page->addStatus(Page::statusHidden); $page->title = 'Favicons'; $page->name = self::PAGE_NAME; $page->process = $this; $page->save(); } }  
    • By Sebi
      Since it's featured in ProcessWire Weekly #310, now is the time to make it official:
      Here is Twack!
      I really like the following introduction from ProcessWire Weekly, so I hope it is ok if I use it here, too. Look at the project's README for more details!
      Twack is a new — or rather newish — third party module for ProcessWire that provides support for reusable components in an Angular-inspired way. Twack is implemented as an installable module, and a collection of helper and base classes. Key concepts introduced by this module are:
      Components, which have separate views and controllers. Views are simple PHP files that handle the output for the component, whereas controllers extend the TwackComponent base class and provide additional data handling capabilities. Services, which are singletons that provide a shared service where components can request data. The README for Twack uses a NewsService, which returns data related to news items, as an example of a service. Twack components are designed for reusability and encapsulating a set of features for easy maintainability, can handle hierarchical or recursive use (child components), and are simple to integrate with an existing site — even when said site wasn't originally developed with Twack.
      A very basic Twack component view could look something like this:
      <?php namespace ProcessWire; ?> <h1>Hello World!</h1> And here's how you could render it via the API:
      <?php namespace Processwire; $twack = $modules->get('Twack'); $hello = $twack->getNewComponent('HelloWorld'); ?> <html> <head> <title>Hello World</title> </head> <body> <?= $hello->render() ?> </body> </html> Now, just to add a bit more context, here's a simple component controller:
      <?php namespace ProcessWire; class HelloWorld extends TwackComponent { public function __construct($args) { parent::__construct($args); $this->title = 'Hello World!'; if(isset($args['title'])) { $this->title = $args['title']; } } } As you can see, there's not a whole lot new stuff to learn here if you'd like to give Twack a try in one of your projects. The Twack README provides a really informative and easy to follow introduction to all the key concepts (as well as some additional examples) so be sure to check that out before getting started. 
      Twack is in development for several years and I use it for every new project I build. Also integrated is an easy to handle workflow to make outputs as JSON, so it can be used to build responses for a REST-api as well. I will work that out in one section in the readme as well. 
      If you want to see the module in an actual project, I have published the code of www.musical-fabrik.de in a repository. It runs completely with Twack and has an app-endpoint with ajax-output as well.
      I really look forward to hear, what you think of Twack🥳!
      Features Installation Usage Quickstart: Creating a component Naming conventions & component variants Component Parameters directory page parameters viewname Asset handling Services Named components Global components Ajax-Output Configuration Versioning License Changelog
    • By Robin S
      Page Reference Default Value
      Most ProcessWire core inputfield types that can be used with a Page Reference field support a "Default value" setting. This module extends support for default values to the following core inputfield types:
      Page List Select Page List Select Multiple Page Autocomplete (single and multiple) Seeing as these inputfield types only support the selection of pages a Page List Select / Page List Select Multiple is used for defining the default value instead of the Text / Textarea field used by the core for other inputfield types. This makes defining a default value a bit more user-friendly.
      Note that as per the core "Default value" setting, the Page Reference field must be set to "required" in order for the default value to be used.
      Screenshot

       
      https://github.com/Toutouwai/PageReferenceDefaultValue
      https://modules.processwire.com/modules/page-reference-default-value/
×
×
  • Create New...