FriendsOfFlarum upload, the intelligent file attachment extension

IanM

clarkwinkelmann thanks for bringing this update!

Looks like a small error in the console in /admin after the extension is enabled

Uncaught TypeError: Cannot read property 'settings' of undefined

clarkwinkelmann

Littlegolden It didn't said flagrow/upload has been removed

It looks like fof/upload was already installed when you ran that command (says updating).

You can check whether flagrow/upload is still installed with composer show flagrow/upload. If it says "not found", all is good. If it shows the package version, you can remove it with composer remove flagrow/upload.

IanM Looks like a small error in the console in /admin after the extension is enabled

Can you share the output of php flarum info ? I can't think of what is wrong, the only line that could cause this would be app.data.settings in UploadPage. Maybe it's a conflict with another extension. Did you previously used Flagrow Upload ? (because the logic hasn't changed I think).

Littlegolden

clarkwinkelmann Composer should let you know that flagrow/upload has been automatically removed.

It didn't said flagrow/upload has been removed.

mistle

When I want to download an uploaded php file I get a error 500. Probably because of security measures. Is there a way to allow php files download? My board is for php code and non public.

clarkwinkelmann

mistle can you find the full error message ? Check your Flarum logs or PHP logs. Maybe it's just an incorrect mime type.

You also need to make extra sure PHP code can't run where those files are uploaded. The extension won't take care of that. Amazon S3 and other clouds should be safe out of the box.

mistle

{"errors":[{"status":"500","code":"unknown"}]}

[2020-02-10 17:03:25] production.ERROR: FoF\Upload\Exceptions\InvalidDownloadException: Server error: `GET http://flarum.local/assets/files/2020-02-10/1581354201-522173-oxerpgetorderarticle.php` resulted in a `500 Internal Server Error` response in /var/www/html/flarum/vendor/fof/upload/src/Downloader/DefaultDownloader.php:49
Stack trace:
#0 /var/www/html/flarum/vendor/fof/upload/src/Commands/DownloadHandler.php(82): FoF\Upload\Downloader\DefaultDownloader->download(Object(FoF\Upload\File), Object(FoF\Upload\Commands\Download))
#1 /var/www/html/flarum/vendor/illuminate/bus/Dispatcher.php(90): FoF\Upload\Commands\DownloadHandler->handle(Object(FoF\Upload\Commands\Download))
#2 /var/www/html/flarum/vendor/illuminate/pipeline/Pipeline.php(128): Illuminate\Bus\Dispatcher->Illuminate\Bus\{closure}(Object(FoF\Upload\Commands\Download))
#3 /var/www/html/flarum/vendor/illuminate/pipeline/Pipeline.php(104): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(FoF\Upload\Commands\Download))
#4 /var/www/html/flarum/vendor/illuminate/bus/Dispatcher.php(98): Illuminate\Pipeline\Pipeline->then(Object(Closure))
#5 /var/www/html/flarum/vendor/illuminate/bus/Dispatcher.php(76): Illuminate\Bus\Dispatcher->dispatchNow(Object(FoF\Upload\Commands\Download))
#6 /var/www/html/flarum/vendor/fof/upload/src/Api/Controllers/DownloadController.php(64): Illuminate\Bus\Dispatcher->dispatch(Object(FoF\Upload\Commands\Download))
#7 /var/www/html/flarum/vendor/flarum/core/src/Http/RouteHandlerFactory.php(38): FoF\Upload\Api\Controllers\DownloadController->handle(Object(Zend\Diactoros\ServerRequest))
#8 /var/www/html/flarum/vendor/flarum/core/src/Http/Middleware/DispatchRoute.php(65): Flarum\Http\RouteHandlerFactory->Flarum\Http\{closure}(Object(Zend\Diactoros\ServerRequest), Array)
#9 /var/www/html/flarum/vendor/zendframework/zend-stratigility/src/Next.php(60): Flarum\Http\Middleware\DispatchRoute->process(Object(Zend\Diactoros\ServerRequest), Object(Closure))
#10 /var/www/html/flarum/vendor/flarum/core/src/Http/Middleware/SetLocale.php(50): Zend\Stratigility\Next->handle(Object(Zend\Diactoros\ServerRequest))
#11 /var/www/html/flarum/vendor/zendframework/zend-stratigility/src/Next.php(60): Flarum\Http\Middleware\SetLocale->process(Object(Zend\Diactoros\ServerRequest), Object(Zend\Stratigility\Next))
#12 /var/www/html/flarum/vendor/flarum/core/src/Http/Middleware/CheckCsrfToken.php(23): Zend\Stratigility\Next->handle(Object(Zend\Diactoros\ServerRequest))
#13 /var/www/html/flarum/vendor/zendframework/zend-stratigility/src/Next.php(60): Flarum\Http\Middleware\CheckCsrfToken->process(Object(Zend\Diactoros\ServerRequest), Object(Zend\Stratigility\Next))
#14 /var/www/html/flarum/vendor/flarum/core/src/Http/Middleware/AuthenticateWithHeader.php(55): Zend\Stratigility\Next->handle(Object(Zend\Diactoros\ServerRequest))
#15 /var/www/html/flarum/vendor/zendframework/zend-stratigility/src/Next.php(60): Flarum\Http\Middleware\AuthenticateWithHeader->process(Object(Zend\Diactoros\ServerRequest), Object(Zend\Stratigility\Next))
#16 /var/www/html/flarum/vendor/flarum/core/src/Http/Middleware/AuthenticateWithSession.php(32): Zend\Stratigility\Next->handle(Object(Zend\Diactoros\ServerRequest))
#17 /var/www/html/flarum/vendor/zendframework/zend-stratigility/src/Next.php(60): Flarum\Http\Middleware\AuthenticateWithSession->process(Object(Zend\Diactoros\ServerRequest), Object(Zend\Stratigility\Next))
#18 /var/www/html/flarum/vendor/flarum/core/src/Http/Middleware/RememberFromCookie.php(51): Zend\Stratigility\Next->handle(Object(Zend\Diactoros\ServerRequest))
#19 /var/www/html/flarum/vendor/zendframework/zend-stratigility/src/Next.php(60): Flarum\Http\Middleware\RememberFromCookie->process(Object(Zend\Diactoros\ServerRequest), Object(Zend\Stratigility\Next))
#20 /var/www/html/flarum/vendor/flarum/core/src/Http/Middleware/StartSession.php(61): Zend\Stratigility\Next->handle(Object(Zend\Diactoros\ServerRequest))
#21 /var/www/html/flarum/vendor/zendframework/zend-stratigility/src/Next.php(60): Flarum\Http\Middleware\StartSession->process(Object(Zend\Diactoros\ServerRequest), Object(Zend\Stratigility\Next))
#22 /var/www/html/flarum/vendor/flarum/core/src/Api/Middleware/FakeHttpMethods.php(29): Zend\Stratigility\Next->handle(Object(Zend\Diactoros\ServerRequest))
#23 /var/www/html/flarum/vendor/zendframework/zend-stratigility/src/Next.php(60): Flarum\Api\Middleware\FakeHttpMethods->process(Object(Zend\Diactoros\ServerRequest), Object(Zend\Stratigility\Next))
#24 /var/www/html/flarum/vendor/flarum/core/src/Http/Middleware/ParseJsonBody.php(28): Zend\Stratigility\Next->handle(Object(Zend\Diactoros\ServerRequest))
#25 /var/www/html/flarum/vendor/zendframework/zend-stratigility/src/Next.php(60): Flarum\Http\Middleware\ParseJsonBody->process(Object(Zend\Diactoros\ServerRequest), Object(Zend\Stratigility\Next))
#26 /var/www/html/flarum/vendor/flarum/core/src/Http/Middleware/HandleErrors.php(57): Zend\Stratigility\Next->handle(Object(Zend\Diactoros\ServerRequest))
#27 /var/www/html/flarum/vendor/zendframework/zend-stratigility/src/Next.php(60): Flarum\Http\Middleware\HandleErrors->process(Object(Zend\Diactoros\ServerRequest), Object(Zend\Stratigility\Next))
#28 /var/www/html/flarum/vendor/zendframework/zend-stratigility/src/MiddlewarePipe.php(83): Zend\Stratigility\Next->handle(Object(Zend\Diactoros\ServerRequest))
#29 /var/www/html/flarum/vendor/middlewares/request-handler/src/RequestHandler.php(84): Zend\Stratigility\MiddlewarePipe->process(Object(Zend\Diactoros\ServerRequest), Object(Zend\Stratigility\Next))
#30 /var/www/html/flarum/vendor/zendframework/zend-stratigility/src/Next.php(60): Middlewares\RequestHandler->process(Object(Zend\Diactoros\ServerRequest), Object(Zend\Stratigility\Next))
#31 /var/www/html/flarum/vendor/middlewares/base-path-router/src/BasePathRouter.php(97): Zend\Stratigility\Next->handle(Object(Zend\Diactoros\ServerRequest))
#32 /var/www/html/flarum/vendor/zendframework/zend-stratigility/src/Next.php(60): Middlewares\BasePathRouter->process(Object(Zend\Diactoros\ServerRequest), Object(Zend\Stratigility\Next))
#33 /var/www/html/flarum/vendor/zendframework/zend-stratigility/src/Middleware/OriginalMessages.php(41): Zend\Stratigility\Next->handle(Object(Zend\Diactoros\ServerRequest))
#34 /var/www/html/flarum/vendor/zendframework/zend-stratigility/src/Next.php(60): Zend\Stratigility\Middleware\OriginalMessages->process(Object(Zend\Diactoros\ServerRequest), Object(Zend\Stratigility\Next))
#35 /var/www/html/flarum/vendor/middlewares/base-path/src/BasePath.php(53): Zend\Stratigility\Next->handle(Object(Zend\Diactoros\ServerRequest))
#36 /var/www/html/flarum/vendor/zendframework/zend-stratigility/src/Next.php(60): Middlewares\BasePath->process(Object(Zend\Diactoros\ServerRequest), Object(Zend\Stratigility\Next))
#37 /var/www/html/flarum/vendor/zendframework/zend-stratigility/src/MiddlewarePipe.php(83): Zend\Stratigility\Next->handle(Object(Zend\Diactoros\ServerRequest))
#38 /var/www/html/flarum/vendor/zendframework/zend-stratigility/src/MiddlewarePipe.php(72): Zend\Stratigility\MiddlewarePipe->process(Object(Zend\Diactoros\ServerRequest), Object(Zend\Stratigility\EmptyPipelineHandler))
#39 /var/www/html/flarum/vendor/zendframework/zend-httphandlerrunner/src/RequestHandlerRunner.php(95): Zend\Stratigility\MiddlewarePipe->handle(Object(Zend\Diactoros\ServerRequest))
#40 /var/www/html/flarum/vendor/flarum/core/src/Http/Server.php(44): Zend\HttpHandlerRunner\RequestHandlerRunner->run()
#41 /var/www/html/flarum/public/index.php(22): Flarum\Http\Server->listen()
#42 {main}

clarkwinkelmann

mistle it seems like your server attempts to run the uploaded PHP files, and it's those files that are throwing an error.

When a file is downloaded in Upload, an internal GET request is made from the download endpoint to the actual resource, which is then proxied to the user for download.

Your log file indicates that while trying to perform that internal GET request, the target file returned a 500 error (which is itself probably logged into the server php or apache logs), indicating that the PHP code in it was most likely executed by your server.

You'll need to disable PHP execution in the assets directory, or use a cloud storage.

mistle

clarkwinkelmann Thank you for your help. I will try to change the permissions for uploaded files.

EDIT: Removing the execution permission does not solve the problem.
EDIT2: .htaccess in public/assets/files with "php_flag engine off" solves the issue.

Littlegolden

Where can we see the Download records.

clarkwinkelmann

Littlegolden Where can we see the Download records.

They are only recorded but not shown at this time. You can see the raw data in the fof_upload_downloads table in the database.

Nimren

How to see how many times a file has been downloaded?

tankerkiller125

Nimren As was noted in the post above yours the only way to see this data is by running an SQL query on the fof_uploads_downloads table in your database. There is currently no UI for this.

hamedkouhfallah

but after upload a zip file and then try to down load I got this error:

{"errors":[{"status":"404","code":"not_found"}]}

this is the url:

https://forum.voipiran.io/api/flagrow/download/649b92dd-5065-4321-87ee-9405910fa9c7/1982/GAFoxvAOX9APrNLFe56xrXFU5mcqYJLDkUPKaesy

matteocontrini

hamedkouhfallah try to disable hotlinking protection (or something like that) in the extension settings

clarkwinkelmann

hamedkouhfallah it looks like you are still using the Flagrow version. Are you able to update to the new FriendsOfFlarum version ? See instructions in the first post under "update from flagrow".

If you already are under the FriendsOfFlarum, try clearing your cache so that the new download endpoint gets used.

hamedkouhfallah

matteocontrini
thank you, I disabled hot link protection but stiil got:

{"errors":[{"status":"404","code":"not_found"}]}

hamedkouhfallah

clarkwinkelmann
I updated the extension, Now it is working. Thanks

[deleted]

Recently I started using this useful extension, but even hotlinking is disabled I can access uploaded images using direct link/full file path. What can I do to prevent this?

clarkwinkelmann

[deleted] I can access uploaded images using direct link/full file path

If you use a template other than "with preview", the full path will not be revealed to the user.

If you want to protect the files in assets from hotlinking, you'll need some additional config in your webserver. This extension doesn't take care of it. Only the "download" API endpoint is protected from hotlinking.

NorioDS

@clarkwinkelmann

New version is working well so far. The uploading indicactor is definitely a welcomed feature 🙂 Thanks!

I'm posting here as a heads-up: There's an issue with the CDN prefixing. I commented on this PR here:
FriendsOfFlarum/upload184

I'm pretty sure that the PR will fix the CDN issue but it's being held up by a code-style issue. (One that doesn't seem to make sense considering the way the array helper (Arr::get) works. More info on the PR comments.)

An extra reason why this is important is because Amazon's SSL certificate for *.s3.amazonaws.com is not working. Which means that the way that the Upload extension constructs the URL, results in images not loading. (Browser blocks them because they're not secure. This is if you're hosting your forum on HTTPS)

One workaround to this issue is to use the CDN prefix setting, because then the URLs can be written to use this syntax:
https://s3.amazonaws.com/bucket-name/path-to-file

Instead of:
https://bucket-name.s3.amazonaws.com/path-to-file

I'm hoping that PR can be merged because it fixes both issues at once. Thanks for reading!

DursunCan

How do I set upload of files like ".cfg .txt .ini .games .inc .sp .smx .so .dll"?

« Previous Page Next Page »