Unable to upload images via mcpuk browser

[neoneddy]

I can upload via the file manager so I know it's not a permissions issue. This is present in 1.0.14 and 1.0.15 .

I'm on Rackspace Cloud Sites, PHP Version 5.4.10.

Refused to set unsafe header "Content-Length" joiner.php:82reader.onload joiner.php:82
POST http://hardystephens.com/manager/media/browser/mcpuk/browse.php?type=images&lng=en&act=upload net::ERR_EMPTY_RESPONSE joiner.php:433XMLHttpRequest.sendAsBinary joiner.php:433reader.onload joiner.php:95

People familiar with the situation say the JS should not be specifying a content length, the browser should do that. I'm just the messenger here.

[damapic]

У меня точно такая же проблема появилась после обновления на 1.0.15.
Версия php 5.5
При этом надо заметить что проверяю на двух компьютерах, оба хром последней версии: на одном загрузчик работает как надо, на втором загрузчик просто открывается но при этом отображаются только имеющиеся папки на сервере, превью не видит, загрузка фотографий не производится.

[Jako]

English here please:

(Translated by Google): I have exactly the same problem appeared after updating to 1.0.15.
Php 5.5 version. It should be noted that the check on two computers, both chrome latest version: one loader works as it should, on the second boot just opened but it only displays the available folders on the server does not see the preview, upload photos is not performed.

[Jako]

Maybe it is a modSecurity issue
http://forums.modx.com/thread/95047/evo-1-0-15-kcfinder-problem#dis-post-515491

[sparkyhd]

I also have the same problem after upgrading to 1.0.15

Stuck on 'uploading' but never uploads

What would be very useful is an option to switch on some for of debug tracking to find the cause.

[Pathologic]

You should clear browser cache to prevent problems after upgrading. @neoneddy, is it possible to reproduce this bug somehow?

[neoneddy]

@Pathologic This problem has been persistent across browsers, and even across OS Installs (I did a fresh OS X install during the time my client has been having these issues)

I'm not sure the exact steps to reproduce beyond the environment I described in the issue. I can provide access to the site if that helps. Email me shawn@himmdesign.com if you want.

Thanks for following up on this.

[Pathologic]

@neoneddy, I've sent e-mail to you.

[mrhaw]

Just a thought. Do you have any htaccess rules restricting the use of domain using www or not?

[neoneddy]

@mrhaw I actually loaded in a fresh htaccess from the latest install. So it's pretty much stock.
@Pathologic I'm not using any mod_security modules

Being that the other person having issues here http://forums.modx.com/thread/?thread=95047&page=1 Is also on Rackspace Cloud Sites, it's probably something there, but it used to work fine before. I'm not sure exactly what's changed in recent versions. I can confirm that MODx Revo uploads work fine on Cloud Sites.

[Pathologic]

@neoneddy I've solved your problem (excuse me, please, for access manager without your permission).
Rackspace breaks connection when url contains act=upload (as @Jako mentioned in MODX forums). So, I've modified misc.js:

browser.baseGetData = function(act) {
    var data = 'browse.php?type=' + encodeURIComponent(this.type) + '&lng=' + this.lang;
    if (act)
        if (act == 'upload') act = 'upld';
        data += "&act=" + act;
    if (this.cms)
        data += "&cms=" + this.cms;
    return data;
};

and added one method to manager/media/browser/mcpuk/core/browser.php:

protected function act_upld() {
    return $this->act_upload();
}

[sparkyhd]

Thanks Pathologic

There are 2 files browser.php

manager/media/browser/mcpuk/browser.php
manager/media/browser/mcpuk/core/browser.php

Which am I supposed to be adding to? And whereabouts in the file?

[Pathologic]

@sparkyhd core/browser.php - you can add method after original act_upload for example, it doesn't matter.

[sparkyhd]

Thanks

Is it ok to have 2 "act_upload"

[Pathologic]

You can rename act_upload to act_upld if it seems better for you ;)

[sparkyhd]

Thanks Pathologic

I can confirm this is now working on Rackspace Cloudsites.

Will this going into the core product?

Was Rackspace being too fussy or was Evo being too casual?

[Jako]

@Pathologic Could you prepare a PR with that, please?

[Jako]

@sparkyhd Rackspace is a bit too restricted there in my opinion. Disallow parameter value 'upload' and allow parameter 'upld' seems to be a bit strange.

[Pathologic]

@Jako, I'm against this hack to be in core while there are no standards of variables values 😆 Rackspace, not MODX, should change their paranoic settings.

[neoneddy]

Rackspacace has worked with MODx with issues in Revolution and the cloud sites product. I don't see any major changes being done on their end. Security has been a big deal for them and removing many useful tools we used to have.

Lastly, if a Cloud Sites customer tries to use MODx Evolution and it doesn't work right, they aren't going blame Rackspace, they'll assume MODx is subpar.

[Jako]

+1 for neoneddy

[sparkyhd]

+2
Let's be pragmatic

[fourroses666]

I have the same problem.
I don't mind to hack core files for now if that fixes the problem but don't know how.
I can't find misc.js and don't know where to add the protected line.

Would be nice to change this for 1.0.16 ?

[sparkyhd]

/manager/media/browser/mcpuk/js/browser/

[fourroses666]

there is no misc.js there and adding the protected lines between <?php doesn't work. getting error.

[jorjik]

попробовал патчить - не помогло...
а в "бета-версии" Димы - это убрали ?

[vmoreira]

Hello any solution. I try to implement this "bit strange" hack and dont do.
Anyone can provide the file to upload to this hack please.

[Pathologic]

Sorry, but my hack is not enough. I can implement another uploader to KCFinder, but will it be the solution? If someone came across this issue, please provide information from your hoster, what modsecurity (or naxsi) rules KCFinder violates.

[vmoreira]

@Pathologic Thanks your information....
Someone use 1.0.15 ok? I can't implement this version... I have tried sometimes and can t do it :( I stil use 1.0.14 but begin to be older...

[vmoreira]

I have asked my online service server... and the error is:
[Thu Jun 18 16:32:26 2015] [error] [client 188.37.74.127] ModSecurity: Multipart: Skipping invalid part 7df0d98 (part name missing): (offset 0, length 0) [hostname "www.testing.pt"] [uri "/15/manager/media/browser/mcpuk/browse.php"] [unique_id "VYMq2UIH0J0AADRHMA0AAAAB"]
[Thu Jun 18 16:32:26 2015] [error] [client 188.37.74.127] ModSecurity: Access denied with code 400 (phase 2). Match of "eq 0" against "MULTIPART_STRICT_ERROR" required. [file "/usr/local/apache/conf/modsec2.conf"] [line "39"] [id "200002"] [msg "Multipart request body failed strict validation: PE 0, BQ 0, BW 0, DB 0, DA 0, HF 0, LF 0, SM 0, IQ 0, IP 1, IH 0, FL 0"] [hostname "www.testing.pt"] [uri "/15/manager/media/browser/mcpuk/browse.php"] [unique_id "VYMq2UIH0J0AADRHMA0AAAAB"]

The actual solution:
It looks like this upload script was supplying some incorrect request body data causing a ModSecurity error. We've disabled ModSecurity for the /manager/media/browser/mcpuk/browse.php...

After that all is OK but is necessary to ask to change ModSecurity every site I have to install ou upgrade... Not functional but it's the solution.

[Pathologic]

@vmoreira so, probably it would be easier to change uploader, as I understand nothing from your error log 😸

[FrancisBoudreau]

@Pathologic
I have the same probleme but with A2 Hosting, evo 1.0.15.
I get this error and your hack does not work for me, it gives me the seme error but replace upload by upld :

Error message I'm getting.
&act=upload 401 (Unauthorized)

thanks for the hepl.

[rocaoliveira]

Hi, have version Evo 1.5 in Rackspace Cloud but CKfinder same problem any solution? I try rack but no work