XUpload - File upload with authentication

Message
Author
byrapaneni
Posts: 3
Joined: Jun 16, 2007 11:40 pm

File upload with authentication

#1 Postby byrapaneni » Jun 17, 2007 12:07 am

Hi there,
I have installed your product on our AIX box and it is working fine. Now I am testing it with authentication.

$ more .htaccess
AuthAIX On
AuthAIXAuthoritative On
AuthName "Login with your AIX ID and Password"
AuthType Basic
<Limit GET POST>
require group system staff slcgroup info
</Limit>
.htaccess: END

.htaccess in the ./cgibin/xupload/ directory.

When I attempt the upload for the first time, AIX prompts me to supply my login credentials. After the successful login, the progress bar says "Transfer Complete!" even though the upload still happens.

During my second attempt I can see the "Status bar" and the progress bar.

Could you please help me how I can fix the "Status Bar" issue during my first attempt.

Thanks in advance.

Regards.

User avatar
PilgrimX182
Posts: 2186
Joined: Mar 22, 2006 1:39 pm

#2 Postby PilgrimX182 » Jun 18, 2007 5:26 am

Hmmm....I think the problem is when you first try to upload, it requires authorization for upload request, but progress bar already working and it see no temp files created and decide that upload was very fast and complete.

Try this: in upload_form.html find <iframe src="......" and change src to "URL-TO-YOUR-CGI-BIN/upload.cgi?mode=settings"

byrapaneni
Posts: 3
Joined: Jun 16, 2007 11:40 pm

#3 Postby byrapaneni » Jun 18, 2007 4:45 pm

Wow!!! You are the best.
This fix solved my problem.

I have tested your RPO vesrion and want to use this instead.
Could you please let me know what changes do I need for the folloaing:

I want to add one more text area for the userID.
Also want to validate the userID and password combo before the uplaod.

Thanks in advance.

Regards

User avatar
PilgrimX182
Posts: 2186
Joined: Mar 22, 2006 1:39 pm

#4 Postby PilgrimX182 » Jul 04, 2007 6:30 am

Just add extra text input to the form:

Code: Select all

<input type="text" name="username">
then in xupload.js find

Code: Select all

if(NF==0){alert('Select at least one file to upload');return false;};
and add below it:

Code: Select all

if(f1.username && f1.username.value==''){alert("Username required");return false;}
this will require username to be entered. Password required if you have "upload_password" option not empty in your config.

Not sured if you need same password for every user or distinct passwords for each. How to validate them?

byrapaneni
Posts: 3
Joined: Jun 16, 2007 11:40 pm

#5 Postby byrapaneni » Jul 04, 2007 11:31 pm

Thanks for the post.
Not sured if you need same password for every user or distinct passwords for each. How to validate them?
I would like to implement the script with distinct passwords, i.e unique user id and password combination.

Thanks in advance for your help.


Regards,
Sri

User avatar
PilgrimX182
Posts: 2186
Joined: Mar 22, 2006 1:39 pm

#6 Postby PilgrimX182 » Jul 05, 2007 10:11 am

No way to securely validate them with PHP before upload.
You can validate login/password in upload.cgi and if they are not correct, stop upload immediately. This requires extra development and extra paid hours , contact us(http://sibsoft.net/contact.html) if you need this, we will implement code in 1-2 days for reasonable price.

jonthegimp
Posts: 5
Joined: Sep 20, 2007 5:52 pm

#7 Postby jonthegimp » Sep 20, 2007 6:01 pm

I currently have username/password checking in upload.cgi; it connects to a mysql database & validates. It works fine; those logins that are valid are able to download, and the incorrect logins are notified, after a period of time, that their login was incorrect.

As you may know, if the uname/passwd combo is incorrect, the 'Transfer complete!' is still displayed, after what I am guessing is buffering of the file. After all this, the javascript alert box pops up declaring the wrong authorization credentials.

Would you be willing to share how to stop the upload immediately? I currently have the username/pass check in the following location, right above the environment checks:

Code: Select all

my $dbc = DBI->connect("dbi:mysql:proftpd_admin:);
my $verify = $dbc->prepare("SELECT passwd FROM usertable WHERE userid='$in{\"dir\"}'");
$verify->execute;
my @user = $verify->fetchrow_array;

if($in{"xpass"} ne md5_base64(@user[0]))
{
  &lmsg("ERROR: $c->{msg}->{wrong_password}");
  sleep 1;
  &DelData($temp_dir);
  &xmessage("ERROR: $c->{msg}->{wrong_password}");
}
elsif($ENV{'CONTENT_LENGTH'} > 1024*$c->{max_upload_size})
{
   &lmsg("ERROR: $c->{msg}->{upload_size_big}$c->{max_upload_size} Kb");
   sleep 1;
   &DelData($temp_dir);
   &xmessage("ERROR: $c->{msg}->{upload_size_big}$c->{max_upload_size} Kb");
}
Please let me know if I can provide any other information. Thanks for any help.
Jon

User avatar
PilgrimX182
Posts: 2186
Joined: Mar 22, 2006 1:39 pm

#8 Postby PilgrimX182 » Sep 21, 2007 7:45 am

Wait a moment....where did u get %in hash? :D

Using our regexp?

Code: Select all

my ($upload_password) = ($ENV{QUERY_STRING}=~/\&xpass=(.+?)(&|$)/i);
Do you get dir the same way or how?

jonthegimp
Posts: 5
Joined: Sep 20, 2007 5:52 pm

#9 Postby jonthegimp » Sep 21, 2007 8:36 am

Ah, the following code came from right above where I added the database connection:

Code: Select all

my ($buffer,@pairs,$pair,$name,$value,%in,$dbc,$verify,@user,$endmessage);
if (length ($ENV{'QUERY_STRING'}) > 0){
    $buffer = $ENV{'QUERY_STRING'};
    @pairs = split(/&/, $buffer);
    foreach $pair (@pairs){
        ($name, $value) = split(/=/, $pair);
        $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
        $in{$name} = $value;

    }
}
That's where I picked up %in; it's been a while since I have had to do anything with this code, so I can't tell you where I came about the idea of using it. I just know that I would have been unable to write code close to this then!

In any case, would declaring it as ($upload_password), as well as creating an error message as I demonstrated previously, be all that is needed?

User avatar
PilgrimX182
Posts: 2186
Joined: Mar 22, 2006 1:39 pm

#10 Postby PilgrimX182 » Sep 21, 2007 12:14 pm

It looks your code should do the thing.

jonthegimp
Posts: 5
Joined: Sep 20, 2007 5:52 pm

#11 Postby jonthegimp » Sep 21, 2007 12:16 pm

haha, yeah, that's what I keep trying to tell it, but it still displays 'Transfer Complete' after an incorrect password is typed.

Once the error messages are set, are there any other steps that could be taken to stop the transaction from continuing further?

User avatar
PilgrimX182
Posts: 2186
Joined: Mar 22, 2006 1:39 pm

#12 Postby PilgrimX182 » Sep 24, 2007 8:11 am

I think you get some error in upload.cgi, that's why error not transmitted to progress bar. Make xupload iframe visible on page and check what you get there.

jonthegimp
Posts: 5
Joined: Sep 20, 2007 5:52 pm

#13 Postby jonthegimp » Sep 24, 2007 2:38 pm

I didn't see much there; when the page is loaded, the frame displays 'false' & stays that way until the Error message regarding the password is displayed. I was using the error console of firefox to display any errors in the cgi, but it doesn't state any for this issue, aside from a few 'xdisplay' errors in the style sheet.

User avatar
PilgrimX182
Posts: 2186
Joined: Mar 22, 2006 1:39 pm

#14 Postby PilgrimX182 » Sep 25, 2007 6:46 am

Ok. Then maybe progress bar script starts too late. In this code:

Code: Select all

  &lmsg("ERROR: $c->{msg}->{wrong_password}"); 
  sleep 1;
set sleep time to 5: "sleep 5;" - this will be enough to sync with progress bar and it will stop upload.

If this won't work provide me with your URL, and FTP details in PM, I will check this out quickly.

jonthegimp
Posts: 5
Joined: Sep 20, 2007 5:52 pm

#15 Postby jonthegimp » Sep 25, 2007 1:31 pm

You are a mad genius! The correct error message displays instead of the generic 'Transfer complete' message. Thank you very much!