Forum Index >  glFusion >  glFusion Support New Topic Post Reply
 FCKEditor File uploads -- seems to reset itself
   |  Printable Version
By: mlapl1 (offline)  Apr 02 2011 17:53 pm (Read 1226 times)  
mlapl1

Hello

a strange thing.

This morning I enabled the upload of image files by editing config.php in the connector area of FCKeditor. All seemed to be going well until this afternoon, admittedly from a different computer, I was told that the connector was disabled. I checked but the upload was still turned on in the config.php file.

Any hints?

Thanks
Andrew

Forum Active Member
Active Member

Group Comfort
Level:
: +2

Registered: 10/06/09
Posts: 296

Profile Email    
  Quote
By: mlapl1 (offline)  Apr 02 2011 18:20 pm  
mlapl1

As a followup - I have identified things more clearly. It appears that I am not allowed to Browse the server rather than upload - upload seems ok but not the browse - I will now go and look again.

Andrew

Forum Active Member
Active Member

Group Comfort
Level:
: +2

Registered: 10/06/09
Posts: 296

Profile Email    
  Quote
By: Mark (offline)  Apr 02 2011 20:25 pm  
Mark

You really shouldn't enable uploads in the FCKeditor configuration. What that does is opens a security hole where anyone can use it to upload files to your site (without going through glFusion).

Out of the box, glFusion allows you to upload files / images /etc. through the FCKeditor, but it does it with some protections to ensure you are actually logged into the site and editing something. If you look at the code,

PHP Formatted Code

$Config['Enabled'] = false;

$cookiename = $_CONF['cookie_name'].'fckeditor';
if ( isset($_COOKIE[$cookiename]) ) {
    $token = $_COOKIE[$cookiename];
} else {
    $token = '';
}

if (SEC_checkTokenGeneral($token,'advancededitor')  && !COM_isAnonUser()) {
    $Config['Enabled'] = true;
} else {
    $Config['Enabled'] = false;
}
 


What this does is disable the connector, but then checks to see if a special token cookie is set, if it is, then it will enable the connector. This prevents anyone from exploiting the file upload feature.

I'm wondering if you had a problem uploading items (didn't work?) so you tried to enable the connector?

Thanks!

Mark

Forum Admin
Admin

Group Comfort
Level:
: +110

Registered: 10/21/05
Posts: 6296
Location: The Great State of
Texas

Profile      
  Quote
By: mlapl1 (offline)  Apr 03 2011 10:45 am  
mlapl1

Well.... that's interesting.

This is a site I have been using for some time and upgraded several times...

Anyway, I was logged in as admin - and the only thing I was trying to upload were images. A number of times, it told me that I needed to modify the connector at ../fckeditor/editor/filemanager/connectors/php/config.php in order to upload (and I swear I had already enabled the connector previously - but knowing how distracted I get, it could have been on another site although I do not think so).

Apart from difficulties with uploading from my PC, it also did not allow me to browse the server until I hacked the path of where the files were meant to be saved as in the following (the uncommented line indicates the change I made - found somewhere with google). Clearly I had the wrong path in config.php in addition to the connector problem but the diagnostic message was not very clear about this.

Anyway, changing the path as indicated below allowed me to browse the required directory.

PHP Formatted Code
// $Config['QuickUploadPath']['Image']          = $Config['UserFilesPath'] . 'Image/';
$Config['QuickUploadPath']['Image'] = $Config['FileTypesPath']['Image'] ;


// $Config['QuickUploadAbsolutePath']['Image']= ($Config['UserFilesAbsolutePath'] == '') ? '' : $Config['UserFilesAbsolutePath'].'Image/' ;
$Config['QuickUploadAbsolutePath']['Image'] = $Config['FileTypesAbsolutePath']['Image'] ;



I am intrigued that, from what you say, glfusion knows how to deal with the issue. I wonder why it does not work even though I was logged in as the main admin. Would it have anything to do with my browser settings?

So... should I now disable the connector and look for a different solution? Obviously, I do not need such a big security hole.

Thanks a lot
Andrew


Forum Active Member
Active Member

Group Comfort
Level:
: +2

Registered: 10/06/09
Posts: 296

Profile Email    
  Quote
By: mlapl1 (offline)  Apr 03 2011 10:57 am  
mlapl1

Well...

I disabled $config['Enabled'] as follows

PHP Formatted Code
$Config['Enabled'] = false;



and everything still seems to be working. This contradicts my previous experience and I wonder if glfusion is looking at cached information. I guess I will keep trying and see what happens. Maybe fixing the path fixed all the problems - but that is not the message I was getting for the failed uploads. FCKeditor specifically claimed that the connector was not enabled.

I will report back if anything new turns up - I will now go and clean the cache/system etc.

Thanks a lot
Andrew

Forum Active Member
Active Member

Group Comfort
Level:
: +2

Registered: 10/06/09
Posts: 296

Profile Email    
  Quote
By: mlapl1 (offline)  Apr 03 2011 11:32 am  
mlapl1

I wonder if there might not be some other explanation for this problem.

I am not very fast with my editing and the site I use seems to time me out quite quickly - a matter of minutes, not hours - and irregularly at that. This timeout often happen when I am in the middle of editing. However, when it does happen, the system does not flag the change of status. I can still do the editing, oblivious to the timeout, and the problem appears only when I try to save. The system then forces me to login again. When that happens, it also often does not save the work that I have been doing which, of course, is frustrating (as there is no "Save & Continue" facility I tend to fix a whole page or story until I do the final save).

Could the timeout explain the lack of connectivity? I guess that if the token disappears because of the timeout then so does the permission to connect.

Does that make any sense?

Cheers
Andrew

Forum Active Member
Active Member

Group Comfort
Level:
: +2

Registered: 10/06/09
Posts: 296

Profile Email    
  Quote
By: Mark (offline)  Apr 04 2011 07:21 am  
Mark

The token that allows the connector to work when editing an item does have a 20 minute life, so if it takes longer than 20 minutes to edit, the token will timeout. The quick fix is to preview the story every 15 minutes or so, this will reset the token. The long term solution is something we'll work on for the next major release - something that will keep the token alive the whole time.

Thanks!
Mark

Forum Admin
Admin

Group Comfort
Level:
: +110

Registered: 10/21/05
Posts: 6296
Location: The Great State of
Texas

Profile      
  Quote
By: mlapl1 (offline)  Apr 04 2011 07:41 am  
mlapl1

Thanks Mark

sounds like that could be the problem. It is quite possible that the token expires. A possible additional problem, though, is that the login session also expires at apparently irregular intervals. I know there is a way of changing the timeout by hacking a file (I have the hack somewhere) but the settings in the config area of glfusion is not enough.

Thanks as ever
Andrew

Forum Active Member
Active Member

Group Comfort
Level:
: +2

Registered: 10/06/09
Posts: 296

Profile Email    
  Quote
New Topic Post Reply


 All times are CDT. The time is now 03:03 am.
Normal Topic Normal Topic
Locked Topic Locked Topic
Sticky Topic Sticky Topic
New Post New Post
Sticky Topic w/ New Post Sticky Topic w/ New Post
Locked Topic w/ New Post Locked Topic w/ New Post
View Anonymous Posts 
Able to Post 
HTML Allowed 
Censored Content