10.0.7 Issues Uploading XLSX Files via UI.

cjdrilling29 commented 1 year ago

Code of Conduct

[x] I agree to follow this project's Code of Conduct

Is there an existing issue for this?

[x] I have searched the existing issues

Version

10.0.7

Bug description

When uploading to UI I get an error saying I don't have permissions if I upload a file with the XLSX extension. Changing the file to XLS does resolved it. The issue generates the attached. I also get the same error for adding a knowledge base Item The file does upload to _tmp but does not move to files. If you upload the file via the Mail Connector it does upload

Happens as Self Service and Tech and Super Admin I have verified the document type exists and is set to upload.

Relevant log output

CSRF check failed for User ID:  at /front/tracking.injector.php2023-05-30 10:44:55 [@VM-GLPI-PERF]
CSRF check failed for User ID:  at /ajax/getDropdownValue.php2023-05-30 10:45:14 [@VM-GLPI-PERF]
CSRF check failed for User ID:  at /front/knowbaseitem.form.php

Page URL

No response

Steps To reproduce

Open Ticket. Attach XLSX File

Your GLPI setup information

GLPI 10.0.7 ( => C:\GLPI-WEB\GLPI-IT) Installation mode: TARBALL Current language:en_US -- Operating system: Windows NT VM-GLPI-PERF 10.0 build 17763 (Windows Server 2019) AMD64 PHP 8.2.6 cgi-fcgi (Core, FFI, PDO, PDO_ODBC, Phar, Reflection, SPL, SimpleXML, Zend OPcache, bcmath, bz2, calendar, cgi-fcgi, com_dotnet, ctype, curl, date, dba, dl_test, dom, enchant, exif, fileinfo, filter, ftp, gd, gettext, gmp, hash, iconv, imap, intl, json, ldap, libxml, mbstring, mysqli, mysqlnd, odbc, openssl, pcre, pdo_mysql, pdo_pgsql, pdo_sqlite, pdo_sqlsrv, pgsql, random, readline, session, shmop, snmp, soap, sockets, sodium, sqlite3, sqlsrv, standard, sysvshm, tidy, tokenizer, xml, xmlreader, xmlwriter, xsl, zend_test, zip, zlib) Setup: max_execution_time="300" memory_limit="512M" post_max_size="8M" safe_mode="" session.save_handler="files" upload_max_filesize="2M" Software: Microsoft-IIS/10.0 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36 Edg/113.0.1774.50 Server Software: MySQL Community Server - GPL Server Version: 8.0.33 Server SQL Mode: STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION Parameters: glpi@localhost/glpi_it Host info: localhost via TCP/IP PHP version (8.2.6) is supported. Sessions configuration is OK. Allocated memory is sufficient. mysqli extension is installed. Following extensions are installed: dom, fileinfo, json, simplexml. curl extension is installed. gd extension is installed. intl extension is installed. libxml extension is installed. zlib extension is installed. The constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present. Database engine version (8.0.33) is supported. No files from previous GLPI version detected. The log file has been created successfully. Write access to C:\GLPI-WEB\GLPI-IT/files/_cache has been validated. Write access to C:\GLPI-WEB\GLPI-IT/config has been validated. Write access to C:\GLPI-WEB\GLPI-IT/files/_cron has been validated. Write access to C:\GLPI-WEB\GLPI-IT/files has been validated. Write access to C:\GLPI-WEB\GLPI-IT/files/_dumps has been validated. Write access to C:\GLPI-WEB\GLPI-IT/files/_graphs has been validated. Write access to C:\GLPI-WEB\GLPI-IT/files/_lock has been validated. Write access to C:\GLPI-WEB\GLPI-IT/files/_pictures has been validated. Write access to C:\GLPI-WEB\GLPI-IT/files/_plugins has been validated. Write access to C:\GLPI-WEB\GLPI-IT/files/_rss has been validated. Write access to C:\GLPI-WEB\GLPI-IT/files/_sessions has been validated. Write access to C:\GLPI-WEB\GLPI-IT/files/_tmp has been validated. Write access to C:\GLPI-WEB\GLPI-IT/files/_uploads has been validated. Web server root directory configuration is not safe as it permits access to non-public files. See installation documentation for more details. The following directories should be placed outside "C:\GLPI-WEB\GLPI-IT": ‣ "C:\GLPI-WEB\GLPI-IT/files" ("GLPI_VAR_DIR") ‣ "C:\GLPI-WEB\GLPI-IT\config" ("GLPI_CONFIG_DIR") You can ignore this suggestion if your web server root directory is "C:\GLPI-WEB\GLPI-IT\public". PHP directive "session.cookie_httponly" should be set to "on" to prevent client-side script to access cookie values. OS and PHP are relying on 64 bits integers. exif extension is installed. ldap extension is installed. openssl extension is installed. Following extensions are installed: bz2, Phar, zip. Zend OPcache extension is installed. Following extensions are installed: ctype, iconv, mbstring, sodium. Write access to C:\GLPI-WEB\GLPI-IT/marketplace has been validated. Timezones seems not loaded, see https://glpi-install.readthedocs.io/en/latest/timezones.html. GLPI_ROOT: "C:\\GLPI-WEB\\GLPI-IT" GLPI_CONFIG_DIR: "C:\\GLPI-WEB\\GLPI-IT/config" GLPI_VAR_DIR: "C:\\GLPI-WEB\\GLPI-IT/files" GLPI_MARKETPLACE_DIR: "C:\\GLPI-WEB\\GLPI-IT/marketplace" GLPI_USE_CSRF_CHECK: "1" GLPI_CSRF_EXPIRES: "7200" GLPI_CSRF_MAX_TOKENS: "100" GLPI_USE_IDOR_CHECK: "1" GLPI_IDOR_EXPIRES: "7200" GLPI_ALLOW_IFRAME_IN_RICH_TEXT: false GLPI_SERVERSIDE_URL_ALLOWLIST: ["/^(https?\|feed):\\/\\/[^@:]+(\\/.*)?$/"] GLPI_TELEMETRY_URI: "https://telemetry.glpi-project.org" GLPI_INSTALL_MODE: "TARBALL" GLPI_NETWORK_MAIL: "glpi@teclib.com" GLPI_NETWORK_SERVICES: "https://services.glpi-network.com" GLPI_MARKETPLACE_ALLOW_OVERRIDE: true GLPI_MARKETPLACE_MANUAL_DOWNLOADS: true GLPI_USER_AGENT_EXTRA_COMMENTS: "" GLPI_DISABLE_ONLY_FULL_GROUP_BY_SQL_MODE: "1" GLPI_AJAX_DASHBOARD: "1" GLPI_CALDAV_IMPORT_STATE: 0 GLPI_DEMO_MODE: "0" GLPI_CENTRAL_WARNINGS: "1" GLPI_DOC_DIR: "C:\\GLPI-WEB\\GLPI-IT/files" GLPI_CACHE_DIR: "C:\\GLPI-WEB\\GLPI-IT/files/_cache" GLPI_CRON_DIR: "C:\\GLPI-WEB\\GLPI-IT/files/_cron" GLPI_DUMP_DIR: "C:\\GLPI-WEB\\GLPI-IT/files/_dumps" GLPI_GRAPH_DIR: "C:\\GLPI-WEB\\GLPI-IT/files/_graphs" GLPI_LOCAL_I18N_DIR: "C:\\GLPI-WEB\\GLPI-IT/files/_locales" GLPI_LOCK_DIR: "C:\\GLPI-WEB\\GLPI-IT/files/_lock" GLPI_LOG_DIR: "C:\\GLPI-WEB\\GLPI-IT/files/_log" GLPI_PICTURE_DIR: "C:\\GLPI-WEB\\GLPI-IT/files/_pictures" GLPI_PLUGIN_DOC_DIR: "C:\\GLPI-WEB\\GLPI-IT/files/_plugins" GLPI_RSS_DIR: "C:\\GLPI-WEB\\GLPI-IT/files/_rss" GLPI_SESSION_DIR: "C:\\GLPI-WEB\\GLPI-IT/files/_sessions" GLPI_TMP_DIR: "C:\\GLPI-WEB\\GLPI-IT/files/_tmp" GLPI_UPLOAD_DIR: "C:\\GLPI-WEB\\GLPI-IT/files/_uploads" GLPI_INVENTORY_DIR: "C:\\GLPI-WEB\\GLPI-IT/files/_inventories" GLPI_NETWORK_REGISTRATION_API_URL: "https://services.glpi-network.com/api/registration/" GLPI_MARKETPLACE_PLUGINS_API_URI: "https://services.glpi-network.com/api/glpi-plugins/" GLPI_I18N_DIR: "C:\\GLPI-WEB\\GLPI-IT/locales" GLPI_VERSION: "10.0.7" GLPI_SCHEMA_VERSION: "10.0.7@5d45269702917a32805e25b678f6779a98b145f6" GLPI_MARKETPLACE_PRERELEASES: false GLPI_MIN_PHP: "7.4.0" GLPI_MAX_PHP: "8.3.0" GLPI_YEAR: "2023" htmlawed/htmlawed version 1.2.9 in (C:\GLPI-WEB\GLPI-IT\vendor\htmlawed\htmlawed) phpmailer/phpmailer version 6.8.0 in (C:\GLPI-WEB\GLPI-IT\vendor\phpmailer\phpmailer\src) simplepie/simplepie version 1.5.8 in (C:\GLPI-WEB\GLPI-IT\vendor\simplepie\simplepie\library) tecnickcom/tcpdf version 6.6.2 in (C:\GLPI-WEB\GLPI-IT\vendor\tecnickcom\tcpdf) michelf/php-markdown in (C:\GLPI-WEB\GLPI-IT\vendor\michelf\php-markdown\Michelf) true/punycode in (C:\GLPI-WEB\GLPI-IT\vendor\true\punycode\src) iamcal/lib_autolink in (C:\GLPI-WEB\GLPI-IT\vendor\iamcal\lib_autolink) sabre/dav in (C:\GLPI-WEB\GLPI-IT\vendor\sabre\dav\lib\DAV) sabre/http in (C:\GLPI-WEB\GLPI-IT\vendor\sabre\http\lib) sabre/uri in (C:\GLPI-WEB\GLPI-IT\vendor\sabre\uri\lib) sabre/vobject in (C:\GLPI-WEB\GLPI-IT\vendor\sabre\vobject\lib) laminas/laminas-i18n in (C:\GLPI-WEB\GLPI-IT\vendor\laminas\laminas-i18n\src) laminas/laminas-servicemanager in (C:\GLPI-WEB\GLPI-IT\vendor\laminas\laminas-servicemanager\src) monolog/monolog in (C:\GLPI-WEB\GLPI-IT\vendor\monolog\monolog\src\Monolog) sebastian/diff in (C:\GLPI-WEB\GLPI-IT\vendor\sebastian\diff\src) donatj/phpuseragentparser in (C:\GLPI-WEB\GLPI-IT\vendor\donatj\phpuseragentparser\src\UserAgent) elvanto/litemoji in (C:\GLPI-WEB\GLPI-IT\vendor\elvanto\litemoji\src) symfony/console in (C:\GLPI-WEB\GLPI-IT\vendor\symfony\console) scssphp/scssphp in (C:\GLPI-WEB\GLPI-IT\vendor\scssphp\scssphp\src) laminas/laminas-mail in (C:\GLPI-WEB\GLPI-IT\vendor\laminas\laminas-mail\src\Protocol) laminas/laminas-mime in (C:\GLPI-WEB\GLPI-IT\vendor\laminas\laminas-mime\src) rlanvin/php-rrule in (C:\GLPI-WEB\GLPI-IT\vendor\rlanvin\php-rrule\src) blueimp/jquery-file-upload in (C:\GLPI-WEB\GLPI-IT\vendor\blueimp\jquery-file-upload\server\php) ramsey/uuid in (C:\GLPI-WEB\GLPI-IT\vendor\ramsey\uuid\src) psr/log in (C:\GLPI-WEB\GLPI-IT\vendor\psr\log\Psr\Log) psr/simple-cache in (C:\GLPI-WEB\GLPI-IT\vendor\psr\simple-cache\src) psr/cache in (C:\GLPI-WEB\GLPI-IT\vendor\psr\cache\src) league/csv in (C:\GLPI-WEB\GLPI-IT\vendor\league\csv\src) mexitek/phpcolors in (C:\GLPI-WEB\GLPI-IT\vendor\mexitek\phpcolors\src\Mexitek\PHPColors) guzzlehttp/guzzle in (C:\GLPI-WEB\GLPI-IT\vendor\guzzlehttp\guzzle\src) guzzlehttp/psr7 in (C:\GLPI-WEB\GLPI-IT\vendor\guzzlehttp\psr7\src) glpi-project/inventory_format in (C:\GLPI-WEB\GLPI-IT\vendor\glpi-project\inventory_format\lib\php) wapmorgan/unified-archive in (C:\GLPI-WEB\GLPI-IT\vendor\wapmorgan\unified-archive\src) paragonie/sodium_compat in (C:\GLPI-WEB\GLPI-IT\vendor\paragonie\sodium_compat\src) symfony/cache in (C:\GLPI-WEB\GLPI-IT\vendor\symfony\cache) html2text/html2text in (C:\GLPI-WEB\GLPI-IT\vendor\html2text\html2text\src) symfony/css-selector in (C:\GLPI-WEB\GLPI-IT\vendor\symfony\css-selector) symfony/dom-crawler in (C:\GLPI-WEB\GLPI-IT\vendor\symfony\dom-crawler) twig/twig in (C:\GLPI-WEB\GLPI-IT\vendor\twig\twig\src) twig/string-extra in (C:\GLPI-WEB\GLPI-IT\vendor\twig\string-extra) symfony/polyfill-ctype not found symfony/polyfill-iconv not found symfony/polyfill-mbstring not found symfony/polyfill-php80 not found symfony/polyfill-php81 not found symfony/polyfill-php82 in (C:\GLPI-WEB\GLPI-IT\vendor\symfony\polyfill-php82) league/oauth2-client in (C:\GLPI-WEB\GLPI-IT\vendor\league\oauth2-client\src\Provider) league/oauth2-google in (C:\GLPI-WEB\GLPI-IT\vendor\league\oauth2-google\src\Provider) thenetworg/oauth2-azure in (C:\GLPI-WEB\GLPI-IT\vendor\thenetworg\oauth2-azure\src\Provider) Way of sending emails: SMTP Name: 'IT Helpdesk' Active: Yes Password: No accounts Name: Accounts Version: 3.0.3 State: Enabled Install Method: Marketplace fields Name: Additional Fields Version: 1.20.5 State: Enabled Install Method: Marketplace barcode Name: Barcode Version: 2.7.1 State: Enabled Install Method: Marketplace behaviors Name: Behaviours Version: 2.7.2 State: Enabled Install Method: Marketplace archibp Name: Business Processes Version: 2.0.2 State: Installed / not activated Install Method: Marketplace datainjection Name: Data injection Version: 2.13.0 State: Enabled Install Method: Marketplace archimap Name: Diagrams Version: 3.2.20 State: Not installed Install Method: Marketplace gantt Name: gantt Version: 1.0.4 State: Enabled Install Method: Marketplace gappessentials Name: Gapp Essentials Version: 2.1.2 State: Installed / not activated Install Method: Marketplace glpiinventory Name: GLPI Inventory Version: 1.2.1 State: Enabled Install Method: Marketplace sccm Name: Interface - SCCM Version: 2.4.1 State: Installed / not activated Install Method: Marketplace oauthimap Name: Oauth IMAP Version: 1.4.3 State: Enabled Install Method: Marketplace genericobject Name: Objects management Version: 2.14.2 State: Enabled Install Method: Marketplace order Name: Orders management Version: 2.10.3 State: Enabled Install Method: Marketplace printercounters Name: Printer counters Version: 2.0.0 State: Enabled Install Method: Marketplace purchaserequest Name: Purchase request Version: 3.0.1 State: Enabled Install Method: Marketplace screenshot Name: Screenshot Version: 2.0.2 State: Enabled Install Method: Marketplace statecheck Name: Statecheck Rules Version: 2.3.9 State: Enabled Install Method: Marketplace manufacturersimports Name: Suppliers imports Version: 3.0.5 State: Enabled Install Method: Marketplace timelineticket Name: Timeline of tickets Version: 10.0+1.1 State: Installed / not activated Install Method: Marketplace webresources Name: Web Resources Version: 2.0.3 State: Installed / not activated Install Method: Marketplace

Anything else?

No response

cedric-anne commented 1 year ago

Hi,

What is the exact message you get when trying to upload the file? Can you add a screenshot?

cjdrilling29 commented 1 year ago

This happens with any XLSX File Uploads okay and shows in _TMP But when you click to add the note to the ticket

Edit. The document type as well

9160602200 commented 1 year ago

hi, am update glpi from 10.6 to 10.7 adfter login in to the screen in dashboard appering message like: " Web server root directory configuration is not safe as it permits access to non-public files. See installation documentation for more details. "

how can i rid from this... glpi-10 7

can you pls help reg to above error...

cconard96 commented 1 year ago

I cannot recreate the issue, but I can confirm that other people had similar issues. https://forum.glpi-project.org/viewtopic.php?id=287080

cjdrilling29 commented 1 year ago

Happy to provide any other information that could help. I have discovered its any new additton to the document type list so far as well. I created files with the extension qwertyx qwertyz and qwerty and it fails. Also works for powerpoint ppt but not pptx files which is default and I have not modified those builtin document types. Any help is greatly appreciated. Thanks.

cconard96 commented 1 year ago

Are the file permissions correct on the "files" folder? If it works with existing extensions, upload to the tmp folder all the time, and you have no issue with documents from emails, I bet that the permissions on the folder itself are wrong, but correct for the extension folders within it.

If you have your automatic action for collecting emails in CLI/Cron mode, make sure it is running as the web server user (www-data, etc) and not root.

cjdrilling29 commented 1 year ago

Yes. It is running as a service account which has "Modify" permissions on the "Files" folder and all subfolders as well as is the owner of the folder. It does pickup emails via Mailgate but not through the UI.