search

My-Random-Thoughts / psBookStack

PowerShell Module For Managing BookStack
MIT License
16 stars 3 forks source link

New-BsImageGallery throwing Bad Request #5

Closed deadpoint closed 2 months ago

deadpoint commented 2 months ago

When using New-BsImageGallery to upload an image it is failing with the following error. I have the current version of psBookStack loaded, and the site is BookStack v24.05.1.

`New-BsImageGallery -Type gallery -PageId 367 -Image 'C:\apps\f8a9c74508974fa2a7aa8f5e34eac39e.png' Invoke-BookStackMultiPart : StatusCode: 400, ReasonPhrase: 'Bad Request', Version: 1.1, Content: System.Net.Http.StreamContent, Headers: { Vary: accept-language Vary: accept-charset Connection: close Accept-Ranges: bytes Date: Thu, 08 Aug 2024 17:18:37 GMT Server: Apache Content-Language: en Content-Type: text/html; charset=utf-8 } At line:77 char:17

My-Random-Thoughts commented 2 months ago

Hi. I presume page 367 exists (Get-BsPage -Id 367) and the image exists in that folder?

Do you have permissions to add images to the gallery and to edit that page?

deadpoint commented 2 months ago

Hi,

Yes the page exists, it was created with "New-BsPage -ChapterId 87 -Name "Circuit ID" -Html" and I have permissions to add images and edit that page.

Get-BsPage -Id 367

id             : 367
book_id        : 157
chapter_id     : 87
name           : Circuit ID
slug           : circuit-id
html           : ---
My-Random-Thoughts commented 2 months ago

OK, can you run the command with -Verbose at the end, not that it gives much extra, and let me have the output please.

What environment are you running BookStack under and what OS are you running the commands? My testing with a Docker BookStack and Linux are all working fine.

deadpoint commented 2 months ago

This is being caused by the ModSecurity on the webserver, specifically I think were "filename=utf-8''f8a9c74508974fa2a7aa8f5e34eac39e.png" is being set. Where or how is the filename=utf-8'' being set? filename is not present in any of the module files.

Message: Multipart parsing error: Multipart: Invalid Content-Disposition header (-11): form-data; name=image; filename=f8a9c74508974fa2a7aa8f5e34eac39e.png; filename*=utf-8''f8a9c74508974fa2a7aa8f5e34eac39e.png.

Message: Access denied with code 400 (phase 2). Match of "eq 0" against "REQBODY_ERROR" required. [file "/etc/apache2/conf.d/mod_security2.conf"] [line "124"] [id "200001"] [msg "Failed to parse request body."] [data "Multipart parsing error: Multipart: Invalid Content-Disposition header (-11): form-data; name=image; filename=f8a9c74508974fa2a7aa8f5e34eac39e.png; filename*=utf-8''f8a9c74508974fa2a7aa8f5e34eac39e.png."] [severity "CRITICAL"]

BookStack Server:

My-Random-Thoughts commented 2 months ago

I am seeing data "Multipart parsing error: Multipart: Invalid Content-Disposition header in the error message and I am not specifically setting any header information in the code, except for "Authorization" and "X-HTTP-Method-Override" if required. Do I need to set a specific header?

This is this document that may help you, but it means nothing to me - https://github.com/owasp-modsecurity/ModSecurity/wiki/Reference-Manual-%28v3.x%29#user-content-REQBODY_ERROR

I am not sure this is a "me" problem?? I don't know enough about modsecurity to help.

My-Random-Thoughts commented 2 months ago

Did you manage to get this fixed? If so, can you share the details?

deadpoint commented 2 months ago

Hi,

I wasn't able to figure out how to exclude this in ModSecurity so I just disabled it when importing the images. I'll close the issue given that it's not the poweshell module where the issue resides. Thanks!