Multiple file upload method gives "Security Error" Multiple file upload method gives "Security Error"
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

Multiple file upload method gives "Security Error"

Started by sangyo, March 25, 2010, 07:44:45 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

sangyo

I'm having issues when uploading on my Coppermine driven gallery http://www.iamthesalamander.com/photos/
When using the advanced upload form (i.e., "Multiple files - Flash-driven (recommended)") and the suggested settings for upload troubleshooting, I get the following error message in the "Upload Queue" box (please see the attached snippet, also):

"Security Error"

Other info:
-"Debug Output" does not appear to give any error message.
-Uploading with the simple upload form (i.e., "simple - one file at a time") works just fine.

Here's the test user account data:
    Username: tester
    Password: tester

I have been using the image taken from http://coppermine-gallery.net/demo/cpg14x/albums/competition/ecto/normal_fire_on_the_beach.jpg as an example to test with.

Having done as suggested in the "Upload troubleshooting" section of the v1.5.3 documentation, and not finding any solutions by searching the board, I have no idea what else to do.

Joachim Müller

Good job on providing all needed details. Confirming your observation - simple file upload (HTML-driven form) works as expected (see http://iamthesalamander.com/photos/displayimage.php?pid=4532), Flash-driven interface returns the error message (see attached screenshot) after having selected a file for upload. Debug output isUSER:
------------------
Array
(
   [ID] => 20ef62239f0a4f64793e4c75f0e197ef
   [lang] => english
   [am] => 1
   [liv] => Array
       (
           [0] => 3671
           [1] => 3672
           [2] => 3673
           [3] => 3674
           [4] => 4532
       )

   [liv_a] => Array
       (
           [0] => 43
       )

   [upload_method] => swfupload
)

==========================
USER DATA:
------------------
Array
(
   [user_id] => 4
   [user_name] => tester
   [groups] => Array
       (
           [0] => 5
       )

   [disk_max] => 0
   [disk_min] => 0
   [can_rate_pictures] => 0
   [can_send_ecards] => 0
   [can_post_comments] => 0
   [can_upload_pictures] => 1
   [can_create_albums] => 0
   [has_admin_access] => 0
   [access_level] => 3
   [pub_upl_need_approval] => 0
   [priv_upl_need_approval] => 1
   [group_name] => uploaders
   [group_quota] => 0
   [can_see_all_albums] => 0
   [group_id] => 5
   [allowed_albums] => Array
       (
       )

)

==========================
Queries:
------------------
Array
(
   [0] => SELECT name, value FROM cpg_config [include/init.inc.php:177] (0 ms)
   [1] => SELECT user_id, time FROM `iamthesa_copp1`.cpg_sessions WHERE session_id = 'bb7b8ebf01ff50bc1e02693ba64c3ae2' [bridge/coppermine.inc.php:258] (0 ms)
   [2] => SELECT user_id, user_password FROM `iamthesa_copp1`.cpg_users WHERE user_id = 4 [bridge/coppermine.inc.php:270] (0 ms)
   [3] => SELECT u.user_id AS id, u.user_name AS username, user_password AS password, u.user_group AS group_id FROM `iamthesa_copp1`.cpg_users AS u LEFT JOIN `iamthesa_copp1`.cpg_usergroups AS g ON u.user_group=g.group_id WHERE u.user_id='4' [bridge/udb_base.inc.php:72] (0 ms)
   [4] => SELECT user_group_list FROM `iamthesa_copp1`.cpg_users AS u WHERE user_id='4' AND user_group_list <> '' [bridge/coppermine.inc.php:200] (0 ms)
   [5] => SELECT MAX(group_quota) AS disk_max, MIN(group_quota) AS disk_min, MAX(can_rate_pictures) AS can_rate_pictures, MAX(can_send_ecards) AS can_send_ecards, MAX(can_post_comments) AS can_post_comments, MAX(can_upload_pictures) AS can_upload_pictures, MAX(can_create_albums) AS can_create_albums, MAX(has_admin_access) AS has_admin_access, MAX(access_level) AS access_level, MIN(pub_upl_need_approval) AS pub_upl_need_approval, MIN( priv_upl_need_approval) AS  priv_upl_need_approval FROM cpg_usergroups WHERE group_id in (5) [bridge/udb_base.inc.php:323] (0 ms)
   [6] => SELECT group_name FROM  cpg_usergroups WHERE group_id= 5 [bridge/udb_base.inc.php:327] (0 ms)
   [7] => SELECT aid FROM cpg_albums WHERE moderator_group IN (5) [include/init.inc.php:267] (0 ms)
   [8] => SELECT lang_id FROM cpg_languages WHERE enabled='YES' [include/init.inc.php:318] (0 ms)
   [9] => SELECT user_favpics FROM cpg_favpics WHERE user_id = 4 [include/init.inc.php:376] (0 ms)
   [10] => DELETE FROM cpg_banned WHERE expiry < '2010-03-25 01:01:06' [include/init.inc.php:432] (0 ms)
   [11] => SELECT null FROM cpg_banned WHERE (user_id=4 OR '217.255.69.10' LIKE ip_addr ) AND brute_force=0 LIMIT 1 [include/init.inc.php:448] (0 ms)
   [12] => SELECT aid FROM cpg_albums WHERE (1  AND visibility != 0 AND visibility != 10004 AND visibility NOT IN (5)) [include/functions.inc.php:924] (0 ms)
   [13] => SELECT aid, title, cid, name FROM cpg_albums INNER JOIN cpg_categories ON cid = category WHERE category < 10000 AND ((uploads='YES' AND (visibility = '0' OR visibility IN (5))) OR (owner=4)) [upload.php:577] (1 ms)
   [14] => SELECT aid, title FROM cpg_albums WHERE category = 0 AND ((uploads='YES' AND (visibility = '0' OR visibility IN (5))) OR (owner=4)) [upload.php:579] (0 ms)
   [15] => SELECT aid, title FROM cpg_albums WHERE category='10004' ORDER BY title [upload.php:601] (0 ms)
   [16] => SELECT user_id AS user_id, user_password AS pass_hash FROM `iamthesa_copp1`.cpg_users WHERE user_id = '4' [bridge/udb_base.inc.php:732] (1 ms)
   [17] => SELECT cid, parent, name FROM cpg_categories WHERE 1 [upload.php:249] (0 ms)
)

==========================
GET :
------------------
Array
(
   [method] => swfupload
   [album] => 20
)

==========================
POST :
------------------
Array
(
)

==========================
COOKIE :
------------------
Array
(
   [cpg140_data] => YTo1OntzOjI6IklEIjtzOjMyOiIyMGVmNjIyMzlmMGE0ZjY0NzkzZTRjNzVmMGUxOTdlZiI7czo0OiJsYW5nIjtzOjc6ImVuZ2xpc2giO3M6MjoiYW0iO2k6MTtzOjM6ImxpdiI7YTo1OntpOjA7czo0OiIzNjcxIjtpOjE7czo0OiIzNjcyIjtpOjI7czo0OiIzNjczIjtpOjM7czo0OiIzNjc0IjtpOjQ7czo0OiI0NTMyIjt9czo1OiJsaXZfYSI7YToxOntpOjA7aTo0Mzt9fQ==
   [7530acb24da35ab34cc4f21f7ec625c0] => bc300b9f5488c3ec78f445d6e28c1c9d
)

==========================
               


You have specified in Coppermine's config that the URL of your gallery is http://iamthesalamander.com/photos/, but you have sent us to http://www.iamthesalamander.com/photos/ (notice the leading www subdomain). After having logged in (with the leading www subdomain) I manually removed the leading www from the URL and hit enter, and your gallery did not recognize me. Logging in once more and then trying the flash-driven upload I didn't get the error message during initial upload, but on the next screen after hitting continue (http://iamthesalamander.com/photos/editpics.php?album=20) I get
QuoteError
You don't have permission to access this page.

File: /home6/iamthesa/public_html/photos/editpics.php - Line: 79
, so there is something fishy with your cookies as far as I can see.

To cover the first problem I suggest to come up with a custom .htaccess file - put this into it:RewriteEngine on
RewriteCond %{HTTP_HOST} ^www\.iamthesalamander\.com$ [NC]
RewriteRule ^(.*) http://iamthesalamander.com/$1 [R,L]
This will send all your visitors who use the leading www subdomain to your domain without the leading www. Your visitors probably won't notice a thing.
Not so sure about the second issue though...

Abbas Ali

The "Secruity Error" is, I believe, due to the Flash Player's "same origin" policy. This means that Flash can only upload to the same server that served the swf file. Swfupload might be treating the domain names with and without www as two different domains.
Chief Geek at Ranium Systems

Αndré

Quote from: Abbas Ali on March 25, 2010, 10:11:18 AM
Swfupload might be treating the domain names with and without www as two different domains.
That's the correct behavior imo.

Joachim Müller

I agree. That's why I recommended to steer clear of the leading www subdomain by adding the .htaccess policy. I'm not sure though about the second issue that comes up if you're actually accessing the site without the leading www subdomain - you can then upload a file, but once you click on "continue" on the upload screen (the link that sends you to the editpics screen) you get the error message I posted, which comes from Coppermine and not from the flash script. Imo there's something fishy with permissions there, but I can't actually spot the problem.

Αndré

The second problem should be solved with the htaccess file, too.

sangyo

Thanks for the speedy reply and investigation.

First issue - fixed:
I added the suggested lines to my .htaccess file, and that does fix the first issue; the flash-driven upload works without any error message.

Second issue - still present:
If I am logged in with the "tester" account, I still encounter the second issue - upon clicking "continue" I get the same error message:
QuoteError
You don't have permission to access this page.

File: /home6/iamthesa/public_html/photos/editpics.php - Line: 79

I also tried removing cookies, then tried the upload process again, but got the same behavior.

However, when I am logged in as administrator, I don't encounter the second issue.  I believe I have permissions set up correctly for the tester account (public albums upload = allowed and "Approval" set to "No" for "uploaders" group; "visitors can upload files" in test album properties).

Αndré

Your second problem should already been fixed with the latest svn checkout. It's the same problem like here (users can upload only to public albums).

sangyo

Yes, that was it.  I made the change you suggested to editpics.php and that solves the second issue.

Thanks for all the help, guys.  I really appreciate the customer service.

Prisoner_24601

I had this exact same issue and I solved most of it the exact same way as described above.  However, I also do want to mention another bit of weirdness with this:

I was getting a pop-up error message AFTER (not before) I changed my website address setting of something like, "Exceeded Max. CPG Size [OK]" when I tried to upload a file that was all of 248K.  I went to the Config menu and reset the "Max size for uploaded files" from the insanely high amount that I had in there (210000) to 512.  Saved the setting and tried to upload again.  Works, no more error.  Then I went back and changed the "Max size for uploaded files" back to my insanely high amount.  Saved the setting and tried to upload again.  Worked, no error.  Odd.

===========

BTB, as a niggling comment, the "Browse ..." button in IE 8/Win 7 64-bit is a different font (looks like Times) until you click it.  Looks OK in Chrome (4.1.249.1036).

inarush

I'm getting the exact same error.
I've followed the "Step-by-step guide when asking for support" in the trouble shooting docs.
Upload works fine with the "simple - one file at a time method".

The difference:
The site is on a IIs server.
The hosting company has a dedicated server for databases - meaning that the CPG application is on one server and the CPG database is on a second server.

If you wish, I can explicitly follow the directions for posting this support question.
However, rather than repeating all of the above. . .is it too terrible to ask the support question in this thread?



papukaija

@inarush: Please post a link to your gallery for support as requested in board rules.


Joachim Müller

...in a thread of your own:
Quote from: Joachim Müller on September 28, 2008, 12:47:37 PMNo thread-hijacking
If someone has started a thread, describing his/her issues in detail and asking for support, it's not a bright idea to hijack this thread and reply there, asking for support on your issues. When in doubt, start a thread of your own for your individual issues.
This thread is marked as solved. Locking.