Let’s talk about image uploads failing in 2.5

We have a sticky here: https://www.ads-software.com/support/topic/164999?replies=1
Numbers 1-6 seem good advice to me

Number 7, I am concerned about, it’s this blanket statement to disable something, I see no mention anywhere, as of yet, in the many threads about image uploads, as to what the repercussions of this disabling are.

In some research, I can say, mod_security is a good thing, it has options to filter URLS for null bytes, check url encoding, inspect POST payloads, and basically protect you from any number of potential exploits.

As far as I remember, a few WP security issues have been surrounding URL attacks.

What is curious, is in my default 1.3 Apache install, I see no mention of mod-security in the httpd.conf file. It looks to me like you have to install and add it on your own. This would make me think disabling this is not going to help you anyway.

Looking at an Apache 2 config, all these on OS X, again, no mod-security in the httpd.conf file, so it is an add on anyway.

My summary of this is, if your host has it, they put it there, and for good reason. More than likely your efforts to disable it will not work, or if you do, you may open yourself to something bad.

I am no Apache master, hopefully someone who knows more can shed some light on this.

Suggestion 8, not a bad idea, but the feature is lacking compared to previous versions, I just successfully uploaded, get no notification it was good or bad, and I assume I need to look in the media library or gallery to even find what was uploaded?

* As much debugging as I know how to do *
If I try an upload, I get this in my apache access log:
example.com ip.add.re.ss – – [02/Apr/2008:04:26:15 -0700] “POST /wp-admin/async-upload.php HTTP/1.1” 401 477 “-” “Adobe Flash Player 9”

401 tells me I am not passing security, and I know that is because I have a http authentication realm set up in wp-admin via a .htacess file. Disabling that, and we are in good shape.

I would love to see others post their snip from the apache log as to what it says when they try uploads.

At any rate, the error I get is:
An error occurred in the upload. Please try again later.

I know my permissions are correct, as I can upload if I remove http auth in wp-admin, or if I use the no flash method.

Setting define(‘WP_DEBUG’, true); in config does nothing to tell me more about “HTTP error.” or “An error occurred in the upload. Please try again later.”

Digging into the code, I see wp-includes/script-loader.php is where the “HTTP error.” comes from. That blows horns, does not tell me anything, vague.

Here is the comment above the error line in the above file:
// these error messages came from the sample swfupload js, they might need changing.

This looks promising:
this.addSetting(“debug_enabled”, init_settings.debug, false);
it is in upload.js

Excuse the length of my post, and my randomness, I am writing this as I step it through…

I think this boils down to the devs have used the over-ride feature to send out their own error messages from swfupload.js, and it was not thorough.

Thats about all I can do for now, I want to know how you get the real error messages from upload.js to show up in wordpress. They are being written over by php right now, and it certainly would be very helpful to know what they are for every user having issues. My issue would tell me I was http 401, someone else’s may say ‘can not chmod’ or whatever is applicable.

It is a guessing game now, the flash uploader source has the means for a full debug console in screen, how do you turn it on?

* Am I way out of line in though here…
We have a .swf made to accept input and do media uploads. It is not possible to secure that file via wordpress, I can go to any wp 2.5 install and hit that url:
https://example.com/wp-includes/js/swfupload/swfupload_f9.swf
I also know the entire source of the JS that runs it.

I think the next logical step would be to exploit this, and pump GB of images into users web storage areas. I hope I an wrong, but so far, that is what I am getting out of this.

Still would love to be able to get users those real error codes, not the pretty wordpress modified ones. I think many of us could work to figure it out from there.