search

glpi-project / glpi

GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing.
https://glpi-project.org
GNU General Public License v3.0
4.26k stars 1.29k forks source link

Error when uploading documents using the API #13146

Closed xacobofg closed 1 year ago

xacobofg commented 2 years ago

Code of Conduct

Is there an existing issue for this?

Version

10.0.3

Bug description

When uploading a document through the API requests if the document name is not longer than 23 characters it returns the error 'Unauthorized file type'.

Relevant log output

No response

Page URL

apirest.php/Document

Steps To reproduce

  1. Make a request to apirest.php/Document sending a file with a file name size of less than 23 characters
  2. You receive the error 'Unauthorized file type'
  3. Resend the same file by increasing the file name to more than 23 characters.
  4. The document is correctly added

Your GLPI setup information

Información sobre la instalación y configuración del sistema
GLPI 10.0.3 ( => /var/www/html/glpi)
Installation mode: TARBALL
Current language:es_ES
Server
 
Operating system: Linux xes3 5.15.0-50-generic #56~20.04.1-Ubuntu SMP Tue Sep 27 15:51:29 UTC 2022 x86_64
PHP 8.0.24 apache2handler (Core, FFI, PDO, Phar, Reflection, SPL, SimpleXML, Zend OPcache, apache2handler, apcu, bz2, calendar,
    ctype, curl, date, dom, exif, fileinfo, filter, ftp, gd, gettext, hash, iconv, intl, json, ldap, libxml, mbstring, mysqli,
    mysqlnd, openssl, pcre, pdo_mysql, posix, readline, session, shmop, snmp, soap, sockets, sodium, standard, sysvmsg, sysvsem,
    sysvshm, tokenizer, xml, xmlreader, xmlrpc, xmlwriter, xsl, zip, zlib)
Setup: max_execution_time="600" memory_limit="512M" post_max_size="30M" safe_mode="" session.save_handler="files"
    upload_max_filesize="50M" 
Software: Apache ()
    Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:106.0) Gecko/20100101 Firefox/106.0
Server Software: Ubuntu 20.04
    Server Version: 10.3.34-MariaDB-0ubuntu0.20.04.1
    Server SQL Mode: STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
    Parameters: glpirw@localhost/glpidb
    Host info: Localhost via UNIX socket

PHP version (8.0.24) is supported.
Sessions configuration is OK.
Allocated memory is sufficient.
mysqli extension is installed.
Following extensions are installed: dom, fileinfo, json, simplexml.
curl extension is installed.
gd extension is installed.
intl extension is installed.
libxml extension is installed.
zlib extension is installed.
The constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present.
Database engine version (10.3.34) is supported.
The log file has been created successfully.
Write access to /var/www/html/glpi/files/_cache has been validated.
Write access to /var/www/html/glpi/config has been validated.
Write access to /var/www/html/glpi/files/_cron has been validated.
Write access to /var/www/html/glpi/files has been validated.
Write access to /var/www/html/glpi/files/_dumps has been validated.
Write access to /var/www/html/glpi/files/_graphs has been validated.
Write access to /var/www/html/glpi/files/_lock has been validated.
Write access to /var/www/html/glpi/files/_pictures has been validated.
Write access to /var/www/html/glpi/files/_plugins has been validated.
Write access to /var/www/html/glpi/files/_rss has been validated.
Write access to /var/www/html/glpi/files/_sessions has been validated.
Write access to /var/www/html/glpi/files/_tmp has been validated.
Write access to /var/www/html/glpi/files/_uploads has been validated.
Web access to files directory is protected
Sessions configuration is secured.
exif extension is installed.
ldap extension is installed.
openssl extension is installed.
zip extension is installed.
bz2 extension is installed.
Zend OPcache extension is installed.
Following extensions are installed: ctype, iconv, mbstring, sodium.
Write access to /var/www/html/glpi/marketplace has been validated.
Timezones seems loaded in database.
GLPI constants
 
GLPI_ROOT: /var/www/html/glpi
GLPI_CONFIG_DIR: /var/www/html/glpi/config
GLPI_VAR_DIR: /var/www/html/glpi/files
GLPI_MARKETPLACE_DIR: /var/www/html/glpi/marketplace
GLPI_USE_CSRF_CHECK: 1
GLPI_CSRF_EXPIRES: 7200
GLPI_CSRF_MAX_TOKENS: 100
GLPI_USE_IDOR_CHECK: 1
GLPI_IDOR_EXPIRES: 7200
GLPI_ALLOW_IFRAME_IN_RICH_TEXT: 
GLPI_SERVERSIDE_URL_ALLOWLIST: Array
GLPI_TELEMETRY_URI: https://telemetry.glpi-project.org
GLPI_INSTALL_MODE: TARBALL
GLPI_NETWORK_MAIL: glpi@teclib.com
GLPI_NETWORK_SERVICES: https://services.glpi-network.com
GLPI_MARKETPLACE_ALLOW_OVERRIDE: 1
GLPI_MARKETPLACE_MANUAL_DOWNLOADS: 1
GLPI_USER_AGENT_EXTRA_COMMENTS: 
GLPI_DISABLE_ONLY_FULL_GROUP_BY_SQL_MODE: 1
GLPI_AJAX_DASHBOARD: 1
GLPI_CALDAV_IMPORT_STATE: 0
GLPI_DEMO_MODE: 0
GLPI_CENTRAL_WARNINGS: 1
GLPI_DOC_DIR: /var/www/html/glpi/files
GLPI_CACHE_DIR: /var/www/html/glpi/files/_cache
GLPI_CRON_DIR: /var/www/html/glpi/files/_cron
GLPI_DUMP_DIR: /var/www/html/glpi/files/_dumps
GLPI_GRAPH_DIR: /var/www/html/glpi/files/_graphs
GLPI_LOCAL_I18N_DIR: /var/www/html/glpi/files/_locales
GLPI_LOCK_DIR: /var/www/html/glpi/files/_lock
GLPI_LOG_DIR: /var/www/html/glpi/files/_log
GLPI_PICTURE_DIR: /var/www/html/glpi/files/_pictures
GLPI_PLUGIN_DOC_DIR: /var/www/html/glpi/files/_plugins
GLPI_RSS_DIR: /var/www/html/glpi/files/_rss
GLPI_SESSION_DIR: /var/www/html/glpi/files/_sessions
GLPI_TMP_DIR: /var/www/html/glpi/files/_tmp
GLPI_UPLOAD_DIR: /var/www/html/glpi/files/_uploads
GLPI_INVENTORY_DIR: /var/www/html/glpi/files/_inventories
GLPI_NETWORK_REGISTRATION_API_URL: https://services.glpi-network.com/api/registration/
GLPI_MARKETPLACE_PLUGINS_API_URI: https://services.glpi-network.com/api/glpi-plugins/
GLPI_I18N_DIR: /var/www/html/glpi/locales
GLPI_VERSION: 10.0.3
GLPI_SCHEMA_VERSION: 10.0.3@a130db99c7d9b131c2e2ea59fe0d6260fe93d831
GLPI_MARKETPLACE_PRERELEASES: 
GLPI_MIN_PHP: 7.4.0
GLPI_MAX_PHP: 8.3.0
GLPI_YEAR: 2022
Libraries
 
htmlawed/htmlawed version 1.2.9 in (/var/www/html/glpi/vendor/htmlawed/htmlawed)
phpmailer/phpmailer version 6.6.0 in (/var/www/html/glpi/vendor/phpmailer/phpmailer/src)
simplepie/simplepie version 1.5.8 in (/var/www/html/glpi/vendor/simplepie/simplepie/library)
tecnickcom/tcpdf version 6.5.0 in (/var/www/html/glpi/vendor/tecnickcom/tcpdf)
michelf/php-markdown in (/var/www/html/glpi/vendor/michelf/php-markdown/Michelf)
true/punycode in (/var/www/html/glpi/vendor/true/punycode/src)
iamcal/lib_autolink in (/var/www/html/glpi/vendor/iamcal/lib_autolink)
sabre/dav in (/var/www/html/glpi/vendor/sabre/dav/lib/DAV)
sabre/http in (/var/www/html/glpi/vendor/sabre/http/lib)
sabre/uri in (/var/www/html/glpi/vendor/sabre/uri/lib)
sabre/vobject in (/var/www/html/glpi/vendor/sabre/vobject/lib)
laminas/laminas-i18n in (/var/www/html/glpi/vendor/laminas/laminas-i18n/src)
laminas/laminas-servicemanager in (/var/www/html/glpi/vendor/laminas/laminas-servicemanager/src)
monolog/monolog in (/var/www/html/glpi/vendor/monolog/monolog/src/Monolog)
sebastian/diff in (/var/www/html/glpi/vendor/sebastian/diff/src)
donatj/phpuseragentparser in (/var/www/html/glpi/vendor/donatj/phpuseragentparser/src/UserAgent)
elvanto/litemoji in (/var/www/html/glpi/vendor/elvanto/litemoji/src)
symfony/console in (/var/www/html/glpi/vendor/symfony/console)
scssphp/scssphp in (/var/www/html/glpi/vendor/scssphp/scssphp/src)
laminas/laminas-mail in (/var/www/html/glpi/vendor/laminas/laminas-mail/src/Protocol)
laminas/laminas-mime in (/var/www/html/glpi/vendor/laminas/laminas-mime/src)
rlanvin/php-rrule in (/var/www/html/glpi/vendor/rlanvin/php-rrule/src)
blueimp/jquery-file-upload in (/var/www/html/glpi/vendor/blueimp/jquery-file-upload/server/php)
ramsey/uuid in (/var/www/html/glpi/vendor/ramsey/uuid/src)
psr/log in (/var/www/html/glpi/vendor/psr/log/Psr/Log)
psr/simple-cache in (/var/www/html/glpi/vendor/psr/simple-cache/src)
psr/cache in (/var/www/html/glpi/vendor/psr/cache/src)
league/csv in (/var/www/html/glpi/vendor/league/csv/src)
mexitek/phpcolors in (/var/www/html/glpi/vendor/mexitek/phpcolors/src/Mexitek/PHPColors)
guzzlehttp/guzzle in (/var/www/html/glpi/vendor/guzzlehttp/guzzle/src)
guzzlehttp/psr7 in (/var/www/html/glpi/vendor/guzzlehttp/psr7/src)
glpi-project/inventory_format in (/var/www/html/glpi/vendor/glpi-project/inventory_format/lib/php)
wapmorgan/unified-archive in (/var/www/html/glpi/vendor/wapmorgan/unified-archive/src)
paragonie/sodium_compat in (/var/www/html/glpi/vendor/paragonie/sodium_compat/src)
symfony/cache in (/var/www/html/glpi/vendor/symfony/cache)
html2text/html2text in (/var/www/html/glpi/vendor/html2text/html2text/src)
symfony/css-selector in (/var/www/html/glpi/vendor/symfony/css-selector)
symfony/dom-crawler in (/var/www/html/glpi/vendor/symfony/dom-crawler)
twig/twig in (/var/www/html/glpi/vendor/twig/twig/src)
twig/string-extra in (/var/www/html/glpi/vendor/twig/string-extra)
symfony/polyfill-ctype not found
symfony/polyfill-iconv not found
symfony/polyfill-mbstring not found
symfony/polyfill-php80 not found
symfony/polyfill-php81 in (/var/www/html/glpi/vendor/symfony/polyfill-php81)
symfony/polyfill-php82 in (/var/www/html/glpi/vendor/symfony/polyfill-php82)
phpCas version 1.3.8 in (/usr/share/php/CAS/source)
SQL replicas
 
Not active
Notifications
 
Way of sending emails: SMTP+TLS (soporte@tic.gal@smtp.office365.com)
Plugins list
 
    accounts             Name: Accounts                       Version: 3.0.2      State: Enabled                                 
        Install Method: Manual
    actualtime           Name: ActualTime                     Version: 2.0.0      State: Enabled                                 
        Install Method: Manual
    advancedplanning     Name: advancedplanning               Version: 1.1.0      State: Enabled                                 
        Install Method: Marketplace
    news                 Name: Alerts                         Version: 1.10.5     State: Enabled                                 
        Install Method: Marketplace
    handover             Name: Assets Handover                Version: 2.0.0      State: Enabled                                 
        Install Method: Manual
    barcode              Name: Barcode                        Version: 2.7.1      State: Enabled                                 
        Install Method: Marketplace
    behaviors            Name: Behaviours                     Version: 2.7.1      State: Enabled                                 
        Install Method: Manual
    byemail              Name: ByEmail                        Version: 2.0.0      State: Enabled                                 
        Install Method: Manual
    charge               Name: Charges                        Version: 2.0.0      State: Enabled                                 
        Install Method: Manual
    costs                Name: Costs                          Version: 3.0.1      State: Enabled                                 
        Install Method: Marketplace
    credit               Name: Credit vouchers                Version: 1.11.2     State: Enabled                                 
        Install Method: Marketplace
    datainjection        Name: Data injection                 Version: 2.12.0     State: Enabled                                 
        Install Method: Marketplace
    escalade             Name: Escalation                     Version: 2.8.0      State: Enabled                                 
        Install Method: Marketplace
    formcreator          Name: Form Creator                   Version: 2.13.2     State: Enabled                                 
        Install Method: Marketplace
    gantt                Name: gantt                          Version: 1.0.1      State: Enabled                                 
        Install Method: Marketplace
    gappextended         Name: Gapp eXtended                  Version: 2.0.0      State: Enabled                                 
        Install Method: Manual
    gdrive               Name: GDrive                         Version: 1.3.0      State: Installed / not activated               
        Install Method: Marketplace
    gitsync              Name: GitSync                        Version: 2.0.0      State: Enabled                                 
        Install Method: Manual
    glpiinventory        Name: GLPI Inventory                 Version: 1.0.4      State: Installed / not activated               
        Install Method: Marketplace
    uninstall            Name: Item's Lifecycle (uninstall)   Version: 2.8.0      State: Enabled                                 
        Install Method: Marketplace
    jsaddons             Name: JS Addons                      Version: 2.0.0      State: Enabled                                 
        Install Method: Marketplace
    kpi                  Name: KPI                            Version: 1.0.0      State: Enabled                                 
        Install Method: Manual
    oauthimap            Name: Oauth IMAP                     Version: 1.4.1      State: Enabled                                 
        Install Method: Marketplace
    oauthsso             Name: oauthsso                       Version: 1.5.2      State: Enabled                                 
        Install Method: Marketplace
    onetimesecret        Name: OneTimeSecret                  Version: 2.0.0      State: Enabled                                 
        Install Method: Marketplace
    order                Name: Orders management              Version: 2.9.0      State: Enabled                                 
        Install Method: Marketplace
    permissions          Name: Permissions                    Version: 1.3.1      State: Installed / not activated               
        Install Method: Manual
    signaturit           Name: Signaturit                     Version: 1.0.0      State: Enabled                                 
        Install Method: Manual
    tam                  Name: TAM                            Version: 1.4.4      State: Enabled                                 
        Install Method: Manual
    taskdrop             Name: TaskDrop                       Version: 2.0.0      State: Enabled                                 
        Install Method: Marketplace
    tviewer              Name: TViewer                        Version: 1.1.0      State: Installed / not activated               
        Install Method: Manual
    vehicle              Name: Vehicle                        Version: 1.2.1      State: Enabled                                 
        Install Method: Manual
    voip                 Name: VoIP                           Version: 0.7.2      State: Enabled                                 
        Install Method: Manual
    waypoint             Name: Waypoint                       Version: 1.3.0      State: Enabled                                 
        Install Method: Manual
    yagp                 Name: yagp                           Version: 2.1.0      State: Enabled                                 
        Install Method: Marketplace
Locales overrides


Anything else?


I think the error is caused in the class src/GLPIUploadHandler.php line 156 $val->prefix = substr($val->name, 0, 23);


If the name has less than 23 characters it stores in 'prefix' the extension of the document causing that when the function moveUploadedDocument of the class src/Document.php is executed it removes the extension at line 1152 $filename = str_replace($prefix, '', $filename);
            

        

    
            

            

                cedric-anne
                commented
                 1 year ago            

            

                
Hi,


Can you provide the payload that can be used to reproduce this issue ?


I tested a call with following payload on POST http://glpi/apirest.php/Document/ and it successfully created the file:


{
    "headers": {
        "App-Token": "********",
        "Session-Token": "********"
    },
    "multipart": [
        {
            "name": "uploadManifest",
            "contents": "{\"input\":{\"name\":\"API upload test\",\"_filename\":[\"test.txt\"]}}"
        },
        {
            "name": "filename1229194340[]",
            "contents": "A simple text file\nto test API upload.\n\n",
            "filename": "test.txt"
        }
    ]
}
            

        

            

            

                trasher
                commented
                 1 year ago            

            

                
No feedback, I close