search

reliatec-gmbh / LibreClinica

LibreClinica is the community driven successor of OpenClinica. It is an open source clinical trial software for Electronic Data Capture (EDC) Clinical Data Management (CDM).
https://libreclinica.org
GNU Lesser General Public License v3.0
39 stars 19 forks source link

Download of files impossible (Windows). #383

Open rhe-reliatec opened 9 months ago

rhe-reliatec commented 9 months ago

Description:

Install LibreClinica on Windows (10 professional, also Win11). It is not possible to download previously uploaded files. The download-urls are not encoded at all. Therefore they contain invalid characters. The only thing you get back is an error-page:

HTTP Status 400 – Bad Request

Type Exception Report

Message Invalid character found in the request target [/LibreClinica/DownloadAttachedFile?eventCRFId=7&fileName=./theuploads/attached_files\S_LCSTUDY\_Screenshot_2023_11_23_181045617A9CAC9B5DBAB7E65B5CEDABB40DFBE1481377_8287568368932741925.png]. The valid characters are defined in RFC 7230 and RFC 3986

Description The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).

Exception

java.lang.IllegalArgumentException: Invalid character found in the request target [/LibreClinica/DownloadAttachedFile?eventCRFId=7&fileName=./theuploads/attached_files\S_LCSTUDY\_Screenshot_2023_11_23_181045617A9CAC9B5DBAB7E65B5CEDABB40DFBE1481377_8287568368932741925.png]. The valid characters are defined in RFC 7230 and RFC 3986
    org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:490)
    org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:261)
    org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
    org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:888)
    org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1597)
    org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    java.lang.Thread.run(Thread.java:748)

Note The full stack trace of the root cause is available in the server logs.
Apache Tomcat/9.0.41

Furthermore if you use in datainfo.properties the default for filePath

filePath=${catalina.home}/${WEBAPP.lower}.data/

the not valid url contains the full path of the uploaded file. 'Heresay' says this is something that should be avoided for security reasons.

Requirements: A Study with a crf, which contains a file-upload-field.

Steps to follow:

Expected result: I want may file back.

Actual result: A tomcat errorpage (text is in Destription).

Server Setup (optional):

toskrip commented 9 months ago

The DownloadAttachedFile servlet is actually not using the path to file provided in download URL but only the filename is extracted from this path (the absolute path is constructed on server side from scratch). IMHO the better solution would be to pass in download URL only an ID (that would be item_data_id) which is then resolved on server side to locate the actual uploaded file.