Home  >   Forum Home  >  Technical Support Forums  >  Technical Support  >  Thread
   
 
MIME error only for non-Admins?
 
JCI
Posted: 22 October 2008 05:26 PM   [ Ignore ]  
Lab Assistant
Avatar
RankRank
Total Posts:  218
Joined  06-18-2007

I have two member groups, Editors & SuperAdmins

When logged in as an Editor, I get the following error when trying to upload any .mp3 via ‘Publish’:

The file you are attempting to upload has invalid content for its MIME type.

However, I can upload the exact same file into the exact same upload directory as a SuperAdmin, no problems.

I’m positive that the Editors group has upload privileges for the directory in question. I’m also positive that it is a valid MP3 and that “.mp3” is listed in my mimes.php file. (I assume it was there by default.)

Am I missing something?

Profile
 
 
Greg Aker
Posted: 22 October 2008 06:08 PM   [ Ignore ]   [ # 1 ]  
Administrator
Avatar
RankRankRankRankRankRank
Total Posts:  6680
Joined  05-07-2007

Probably XSS filtering at work here.  Can you go to:  CP Home ›  Admin ›  System Preferences ›  Security and Session Preferences and see what your setting for “Apply XSS Filtering to uploaded files? ” is

Thanks,

-greg

 Signature 
Profile
MSG
 
 
JCI
Posted: 23 October 2008 07:49 AM   [ Ignore ]   [ # 2 ]  
Lab Assistant
Avatar
RankRank
Total Posts:  218
Joined  06-18-2007

That did it.

So I’m assuming the XSS filter is looking for any signs of code injection? and/or maybe re-encoding the file? Whatever the case, why would a non-Admin user group make a difference? Does EE make exceptions if the file is coming from an Admin?

Anyways, Thanks for your insight.

Ryan

Profile
 
 
silenz
Posted: 23 October 2008 08:04 AM   [ Ignore ]   [ # 3 ]  
Lab Technician
Avatar
RankRankRankRank
Total Posts:  1886
Joined  10-22-2006

XSS-filtering is skipped for Super-Admins by default, yes.

 Signature 

utilitEEs - Addons for EE

Profile
 
 
Robin Sowell
Posted: 23 October 2008 09:45 AM   [ Ignore ]   [ # 4 ]  
Moderator
Avatar
RankRankRankRankRankRankRank
Total Posts:  25621
Joined  05-20-2002

Right- by default, superadmins are exempt from the check.  It’s basically looking for signs of an injection attack via the image.  Unless you are dead certain that only trusted personnel can upload images- and that include things like signature images and avatars- it’s best to leave it on.  If someone has an image that fails, they can always email it and admins can make the call on whether to upload it.

 Signature 

AKA rob1

Help Request TipsPro Network

Profile
 
 
jhgravelle
Posted: 22 February 2009 04:42 PM   [ Ignore ]   [ # 5 ]  
Grad Student
Rank
Total Posts:  40
Joined  05-27-2008
Robin Sowell - 23 October 2008 09:45 AM

Right- by default, superadmins are exempt from the check.  It’s basically looking for signs of an injection attack via the image.  Unless you are dead certain that only trusted personnel can upload images- and that include things like signature images and avatars- it’s best to leave it on.  If someone has an image that fails, they can always email it and admins can make the call on whether to upload it.

OK if we leave it on, how do we allow another user to upload an mp3 file that normal errors out because of this?

Any way no skip XSS, for certain member groups, while leaving it on for others,  I’d like to keep the site as secure as possible, But I do need to have a few users be able to upload mp3 files.

Profile
 
 
John Henry Donovan
Posted: 23 February 2009 12:49 AM   [ Ignore ]   [ # 6 ]  
Moderator
Avatar
RankRankRankRankRankRank
Total Posts:  5202
Joined  03-22-2004

jhgravelle,

Super Admins are the only member group who have an exception to XSS filtering.
You could maybe create a new member group based on the SuperAdmin group and lock down as much as you need then assign those few users to it.

 Signature 
Profile
 
 
   
 
 
‹‹ LInking to Javascript pages      {REL[837][custom-field-name]PD2cToPTREL} Error after 1.6.3 to 1.6.4 upgrade ››
Post Marker Legend
New Topic New posts Hot Topic Hot Topic with new posts New Poll New Poll Moved Topic Moved Topic Sticky Topic Sticky topic
Old Topic No new posts Hot Old Topic Hot Topic with no new posts Old Poll Old Poll Closed Topic Closed Topic Announcement Announcements
Theme
Change Theme
Visitor Statistics
The most visitors ever was 1743, on December 02, 2009 03:47 PM
Total Registered Members: 120350 Total Logged-in Users: 82
Total Topics: 126475 Total Anonymous Users: 67
Total Replies: 665096 Total Guests: 451
Total Posts: 791571    
Members ( View Memberlist )
Newest Members:  RanjanjoyMihai NorthThatchVagariPatient ShareNixnizviVadotlogikCariNetX-C0d3C
Active Members:    Aaron FowlerAaron Mc AdamAndrew MacphersonarnoldcatiosisBen BruntbiberltdbluedreamerbmillerBob SuttonCharles BoudinotclefevreCrucialDaniel DeckerDavide BonettaDerek JonesdesignerhandbagsdorichdotlogikdubsakDylan Smith/ContextDesignErik ReaganForrest AndersonFuel InteractivegaarmasterGareth DaviesgcuevasgesturestudiogomacroGreg AkeriainIkiroinformedexpatsIngmar GreilJan VantommejawJörg GudehusJeremy Bolesjoernjohnniefpjosh Jensenjoshclark17Keith EKevin EvansKippiLaszlo GramalebisolleeastonLLeakelorigoldberglukeadamismach1madamovMark BowenmikebrisbaneN3RDneostructuralistNevin Lyneone80onePascal KrietePeter RipleyramonekalsawRanjanjoyregistryRichard KissrippeRobb Ottenhoffroi.agnetarussliptonsehartShawn BlowerShawnCBergsigorkSue CrockerSVA Interaction DesignsvedishTomaz B.Tore Holmbergvanquishvobtoavi
Powered By ExpressionEngine
ExpressionEngine Discussion Forum - Version 2.1.1 (20081028)
Script Executed in 1.1071 seconds
Atom Feed   RSS 2.0