File upload security with content management module

This is the place to report bugs and get support. When posting in this forum, please always provide as much detail as possible.

Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum, do not report it as a bug.

This is the place to report bugs and get support

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.
Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum.
This thread is closed to new posts. You must sign in to post in the forums.
4/29/2010 12:33:54 PM
CTIDRS
Gravatar
Total Posts 11
View Posts

File upload security with content management module

OS = Server 2008 SP2 IIS 7.5
DB = Mssql
Mojover = mojoportal-2-3-4-2-mssql
Editor = defualt

When I upload images through the content managment editor the file security settings get reset I lose iuser and other security settings that have been set to propigate on the data folder. I can upload through the file manager then browse the server for images to be inserted into content without issue but whe uploading via text editor control I cannot access what I upload. If anyone has run into this and been able to fix it then please post the resolution.

 

Thank You,

Steve


e
 

4/29/2010 1:10:51 PM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: File upload security with content management module

Hi Steve,

In IIS 7.5, double click the Authentication icon, then right click the Anonymous Authentication line and choose edit. What do you see there? Is it set to use IUser or ApplicationPoolIdentity?

If it is set to use application pool identity then the identity user on your application pool is the user who needs file system permissions and who will own newly uploaded files because that is the user that the web process executes as.

A lot of this is changes in IIS 7.5, in IIS 6 and 7 the default was to use NETWORK SERVICE as the identiity on the appication pool and then the file permissions needed to be for NETWORK SERVICE.

If all else fails you can configure your app pool to use NETWORK SERVICE and then set file and folder permissions for NETWORK SERVICE rather than IUser.

Hope it helps,

Joe

4/29/2010 2:07:24 PM
CTIDRS
Gravatar
Total Posts 11
View Posts

Re: File upload security with content management module

Joe,

Thank you for your response. This is what I have found.

1) I verified Anonymous was already set to IUSR
2) IUSR & NetworkService have full control to the data folder & new subfolders do inherit the permissions but files uploaded through the content editor do not. Files uploaded through filemanager work perfectly.
3) App Pool was set to AppPoolIdentity by default and was changed to NetworkService. Did not change the issue.
4) Files uploaded via FTP or file copying do inherit the correct permissions just not files managed the content editor.

If you can think of anything please let me know.

 

as always
Thank you,

Steve

4/30/2010 9:10:19 AM
CTIDRS
Gravatar
Total Posts 11
View Posts

Re: File upload security with content management module

I found my problem to be with neat upload ver 1.3.22
We found the following on the issue.

7.2 Permissions on uploaded files depend on temporary directory
Uploaded files are created in a temporary directory and inherit the permissions of that directory. Calling InputFile.MoveTo() does not change the permissions. In some environments, files in the default temporary directory are not readable by web applications, and as a result uploaded files are not readable by the web application. To avoid this issue, simply change the temporary directory used by NeatUpload to a directory that has the permissions you desire.

We changed the temp dir to the data dir which resolved the issue thus far.

4/30/2010 9:13:22 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: File upload security with content management module

Hi,

Glad you got it fixed.

fyi, if the App_Data folder is writable it uses that by default instead of the windows temp folder without any need for custom configuration.

Best,

Joe

5/3/2010 12:08:05 PM
cury
Gravatar
Total Posts 1
View Posts
Axis Technolabs, CA, USA Website Design http://www.axistechnolabs.com/

Re: File upload security with content management module

Thanks, I got hint too.

You must sign in to post in the forums. This thread is closed to new posts.