Upload error with files including quotation marks

  • Hello,

    When I attempt to upload a file including a single quotation mark or double quotation mark, I am served an error in a popup:


    Error uploading file

    Uncaught Error.n<!DOCTYPE html>
    <html style=”height:100%”>
    <head><title> 403 Forbidden
    </title></head>
    …. (then a bunch of code from the page until the popup is full)

    Is it possible to prevent this error by renaming files on the fly, or stripping slashes at the time of upload?

    Any assistance you might be able to provide would be greatly appreciated.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author ovann86

    (@ovann86)

    Hey,

    I’m 99% sure this is happening because the quote in the file name is triggering a rule in PHP’s mod_security module – and that it will be happening in standard Gravity Forms upload fields.

    I actually noticed I have the same issue on my demo site.

    You might need to disable mod_security — you would need to for it to work with the standard GF upload field. I’m just not sure what level of risk doing this is.

    I’ll have a bit of a play and see if I can get the plugin to strip the quotes out before uploading to the server. Might help.

    Plugin Author ovann86

    (@ovann86)

    Hey,

    So there doesn’t appear to be the ability to rename files before they’re sent to the server – which means we can’t remove the quotes that are triggering mod_security.

    If you still have a Gravity Forms license I suggest you check if the same issue is happening for the standard file upload fields and contact them. I would assume they have a standard advice on how to disable mod_security and whether or not it’s a good idea.

    If you’re feeling confident, this is what I’ve used to disable mod_security to allow files with a quote in the file name.

    You place this at the start of your .htaccess file on the web server (so you’ll need access to the files on the server, e.g. FTP or cpanel access)

    <IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

    What I can do is have a quick play to see if I can detect when mod_security is enabled and stop uploads with quotes on them. That way we can show a useful error message to the form user. E.g. “Error: file name contains a quote. Please rename file to remove ‘ and try again”

    Plugin Author ovann86

    (@ovann86)

    OK – even detecting if mod_security is enabled is unreliable. The only reliable way is onerous on the server and would not be a good idea.

    What I will do is add a setting in the Forms -> Settings -> Ajax Upload menu to allow an error message and stop the upload if the file name contains a quote.

    Not a bad compromise considering with the standard Gravity Forms field it just fails to work … which likely leads to the loss of any other information put in the form.

    Thread Starter usflrt

    (@usflrt)

    Thank you! Yes, Gravity Forms wiped their hands of it and offered no help with regards to stopping uploads, writing warnings, or renaming files before upload. My host offered to whitelist the mod_security rule, but I decided to leave it as is and include in the form a warning not to include those characters in a file for upload.

    All that is to say that, yes, if you can build this error message and stop the upload of a file with a quote that will be not a bad compromise at all. I appreciate you taking the time to look into it and find a solution.

    Plugin Author ovann86

    (@ovann86)

    Hey,

    I just want to confirm you got the update and instead of getting a worthless server error message, you now get a meaningful error message.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Upload error with files including quotation marks’ is closed to new replies.

Tags