#33284 – Failed upload of attachements in ATS

Posted in ‘Akeeba Ticket System’
This is a public ticket. Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Sunday, 21 June 2020 01:35 CDT
yvesfb

Hi,

 

I have a problem to upload documents in ATS. I can upload the image ones, but not the other types (like pdf, docx, zip..).

The list of allowed extensions which is displayed on the front end page of a ticket is well listing all the extensions indicated in Media manager (for instance including docx, zip, pdf).

I can only upload some pdf and zip files if I modify the Mime configuration by switching off the button "check mime extension" in the options of the Media manager and also by adding "zip" and "pdf" in the "legal image extensions" of mime. I don't think it is the correct place I should add these extensions, especially as the list of the allowed extensions displayed on the front-end is the "Legal extensions (file types)".

How can I get the ATS upload system to use the "Legal extensions (file types)"?

In the "Legal extensions (file types)" I have: bmp,csv,doc,gif,ico,jpg,jpeg,odg,odp,ods,odt,pdf,png,ppt,swf,txt,xcf,xls,BMP,CSV,DOC,GIF,ICO,JPG,JPEG,ODG,ODP,ODS,ODT,PDF,PNG,PPT,SWF,TXT,XCF,XLS,xlsx,XLSX,pptx,PPTX,zip,docx,DOCX
This list is working fine for other applications than ATS to upload docx documents for instance).

And in the "legal image extensions" I have: bmp,gif,jpg,png,zip,pdf
(as I have been obliged to add zip and pdf)

Regards

yves

Custom Fields

Joomla! version (in x.y.z format) 3.9.19
PHP version (in x.y.z format) 7.2.31
Akeeba Ticket System version (x.y.z format) 3.4.1
 
Monday, 22 June 2020 00:55 CDT
nicholas

What you did is correct and there is no bug in ATS. In fact, that's how Joomla works.

Akeeba Ticket System, like every other reasonably written Joomla extension, does NOT implement its own files upload. Instead, it goes through Joomla. Joomla controls what can be uploaded by looking at the Options of the Media Manager. I know it sounds insane but that's what it is... You need to change both the Legal extensions (file types) AND the allowed MIME type options for the uploads to work.

Do NOT touch the Legal image extensions! This option is currently inert in Joomla 3 but it has a meaning in Joomla 4: it controls which files will be displayed inline in the Media Manager page. You do NOT want to add ZIP and, worse, Office files there – it will cause all sorts of trouble for you when you upgrade to Joomla 4.

Moreover, please bear in mind that Joomla performs upload prefiltering using the code that was formerly part of Admin Tools' UploadShield. This may prevent the upload of certain files despite having a legal extension and MIME type, depending on their contents. If you want to disable this behavior you need to go to ATS' Options, Common and set Allow Unsafe Uploads to Yes. Please note that your uploads are still subject to file extension and MIME type checks; it's only their contents that won't be scanned by Joomla's UploadShield implementation.



Nicholas K. Dionysopoulos

Lead Developer and Director



🇬🇷Greek: native

🇬🇧English: excellent

🇫🇷French: basic



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



Monday, 22 June 2020 01:22 CDT
yvesfb

Thanks Nicholas for your feedback.

But I still need some clarification about your answer.Based on your remarks, I removed the zip and the pdf  extensions from in the "Legal extensions (file types)". 

Therefore, only image files will be allowed (and users won't be able to attache zip files in their ticket).

So, if I want the users (other than Managers) to be able to upload attachments should I set the option of Media manager "Restrict Uploads" to No? if it is the case, then what could be the dangers?

Or is it then better to do that in the ATS'options as you indicated?

Regards

yves

 
Monday, 22 June 2020 03:48 CDT
nicholas

I think you misunderstood me :) I understand that you want to allow people filing tickets to upload the following types of files: PDF, ZIP, CSV, DOC, DOCX, XLS, XLSX, PPT, PPTX, ODG, ODP, ODS and ODT.

Go to Content, Media, Options.

In the “Legal extensions (file types)” make sure the following extensions are listed in addition to the image files: pdf,PDF,zip,ZIP,csv,CSV,doc,DOC,docx,DOCX,xls,XLS,xlsx,XLSX,ppt,PPT,pptx,PPTX,odg,ODG,odp,ODP,ods,ODS,odt,ODT

Since you do not want to check the MIME types of these files, set the “” to: pdf,PDF,zip,ZIP,csv,CSV,doc,DOC,docx,DOCX,xls,XLS,xlsx,XLSX,ppt,PPT,pptx,PPTX,odg,ODG,odp,ODP,ods,ODS,odt,ODT

” must always be enabled on this page for security reasons. This is a safety switch. If something breaks in your PHP installation then and only then will Joomla prevent users below manager to upload any file that's not an image type. This is not something that applies to your site at the moment. It's there to prevent a security issue if something breaks in your PHP installation.



Nicholas K. Dionysopoulos

Lead Developer and Director



🇬🇷Greek: native

🇬🇧English: excellent

🇫🇷French: basic



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



Monday, 22 June 2020 04:39 CDT
yvesfb

Hi,

yes I want people to be able to upload some attachments like zip, pdf, xlsx 

I trie d the way you indicated in you last ticket, but it doesn't work. It even simply indicates, that my message has been recorded/posted, but without any error message and none of the test attachments I included have been uploaded.

Enclosed is the print screen of the Media-manager options.

Is there the need to switch off an option like "Check Mime Types"?

 
Monday, 22 June 2020 06:35 CDT
nicholas

First of all, let me tell you two things.

1. Attachments do work. We use ATS on our own site and we rely on attachments to provide support. Posting images is actually quite rare. Most of our clients post Akeeba Backup log files in ZIP files.

2. File upload is handled by PHP and Joomla, not Akeeba Ticket System. Once Joomla has the temporary upload in place we simply copy it to the attachments storage. If PHP or Joomla decided that for whatever reason your file cannot be uploaded we have no idea that you even tried an upload, let alone if there was an error or what the error message was. That's why you do not see any kind of feedback about failed uploads.

The attachment area in ATS shows you the maximum allowed size per your server settings and the allowed extensions per your Media Manager configuration. View this ticket on our site an look at the bottom of the reply area. You will see that it reads:

Maximum allowed size for attachments: 10 MB Allowed extensions: bmp, csv, doc, gif, ico, jpg, jpeg, odg, odp, ods, odt, pdf, png, ppt, txt, xcf, xls, zip, 7z, rar, json

Now go back to your site and look at the same area.

Are you uploading a file that's bigger than the size specified here? If you did, you need to increase your PHP maximum upload size and possible your PHP maximum POST size. If you are not sure how to do that please ask your host. There is no universal answer to that since PHP configuration modification is an intrinsically server-specific operation.

When you entered the file extensions did you use both the lowercase and uppercase variants of each one? If not, please do so now. Also double check that your filename matches the extension case. The extensions pdf, PDF, Pdf and pDf are all four different extensions as far as Joomla is concerned.

You told me that you had turned “Check MIME Types“ off. If this is not the case you will need to also modify the “Legal MIME Types” with the MIME types of all extensions you want to support. You can find a reference for common MIME types at https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types/Common_types

Assuming that you want to allow PDF, ZIP, CSV, DOC, DOCX, XLS, XLSX, PPT, PPTX, ODG, ODP, ODS and ODT files the following MIME types need to be present in that comma-separated list:

  • application/pdf
  • application/zip
  • text/csv
  • application/msword
  • application/vnd.openxmlformats-officedocument.wordprocessingml.document
  • application/vnd.ms-excel
  • application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
  • application/vnd.ms-powerpoint
  • application/vnd.openxmlformats-officedocument.presentationml.presentation
  • application/vnd.oasis.opendocument.graphics
  • application/vnd.oasis.opendocument.presentation
  • application/vnd.oasis.opendocument.spreadsheet
  • application/vnd.oasis.opendocument.text

You will see that Joomla has some of these but not all, especially not those MIME types used by Microsoft Office 2006 or later (for the file types with an X in their extension), OpenOffice / LibreOffice files and PDFs.

Furthermore, bear in mind that Microsoft Office 2007 and later uses a different file extension depending on whether your file includes macros or not. An Excel spreadsheet with macros has the file extension XLSM. If it doesn't have macros it has the extension XLSX. I strongly recommend AGAINST allowing DOCM, XLSM and PPTM files to be uploaded to your server. Macro-enabled Office document are the most common source of malware intrusion.



Nicholas K. Dionysopoulos

Lead Developer and Director



🇬🇷Greek: native

🇬🇧English: excellent

🇫🇷French: basic



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



Monday, 22 June 2020 06:56 CDT
yvesfb

Thank you Nicholas,

 

Now on top of my previous changes (to set up the ignored extensions in addition to the "Legal Extensions (File Types)" which were already defined), I switched off the  “Check MIME Types“ and it is working. :-)

I effectively enable only the pdf and the zip file to be uploaded (and removed the other Office type apps.

Thanks for your explanation an patience.

:-)

yves

 
Monday, 22 June 2020 08:16 CDT
nicholas

No problem :) I understand this is a confusing topic since Joomla needs to apply all sorts of filtering and cross filtering and additional checks on top of a bunch of checks when a file is being uploaded. Even for those of us who wrote parts of the code it's a real headache to remember every little detail.

Have a great day!



Nicholas K. Dionysopoulos

Lead Developer and Director



🇬🇷Greek: native

🇬🇧English: excellent

🇫🇷French: basic



Please keep in mind my timezone and cultural differences when reading my replies. Thank you!



This ticket is closed, therefore read-only. You can no longer reply to it. If you need to provide more information, please open a new ticket and mention this ticket's number.

Support Information

Working hours: Typically we work Monday to Friday, 9am to 7pm Cyprus timezone (EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets, but we cannot respond to them, outside of our working hours.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!