PDFs (And other files) dont upload in Joomla 3.7.1

[PhilETaylor]

Placeholder issue to catch trending issues with Joomla 3.7.1 & incoming reports with regards to uploading issues due to new mime checks

If you are having an issue with PDFs (And other files) not uploading in Joomla 3.7.1 DONT start a new issue, post here,

Please provide a FULL file of your system information from the system information page of Joomla admin (Download as text)

Is there a bug with uploading PDF files through the Media Manager? I've tried it through Media Manager and the Ark Media Manager and neither will allow me to upload PDF files anymore.

3.7.1, php 7

[zero-24]

Please check the allowed mine types as we now force to check on that.

[freshlookweb]

I have application/pdf listed in the allowed MIME types. I could upload pdfs just fine before I upgraded to 7.1

[zero-24]

please try your file against this checker: http://mime.ritey.com/ and told us the result.

[freshlookweb]

File results

The MIME type for your file is: application/pdf

[freshlookweb]

Do you not get that error when you try to upload pdfs zero?

[tpaljr63]

Having same issue with pdf files - checked all the settings ...only way i was able to get it to upload a pdf through Media Manager was
to either place pdf in the "ignored extensions" or turn off Check MIME Types..I do have "application/pdf" under Legal MIME Types.

Joomla was updated this morning and issue started.

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16086.}

[tpaljr63]

systeminfo-2017-05-17T15-52-33+00-00.txt

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16086.}

[zero-24]

Please add application/octet-stream to the allowed mine types.

[tpaljr63]

Removed the pdf from ignored extensions - added application/octet-stream - tested uploading a pdf through Media Manager - Success!

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16086.}

[tpaljr63]

File results
The MIME type for your file is: application/pdf

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16086.}

[zero-24]

ok found the problem.

it is about the ordering of the options to check. We should first check here: https://github.com/joomla/joomla-cms/blob/staging/libraries/cms/helper/media.php#L81 and than the other. Or implement some kind of checks for application/octet-stream so that in that case the other options are checked too.

I can do a PR when i'm back at home.

[tpaljr63]

Questions: Why would adding the "application/octet-stream" to Legal MIME Types affect pdf upload in Media Manager since "application/pdf" was allowed already and is there a Security Risk adding "application/octet-stream" to the Legal MIME Types?

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16086.}

[tpaljr63]

Thanks Zero and Phil

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16086.}

[dgrammatiko]

@tpaljr63 actually is not Joomla but the server (apache I guess) that is missing some vital info (mimes): http://stackoverflow.com/questions/13847234/apache2-server-mime-types

[zero-24]

actually is not Joomla but the server (apache I guess) that is missing some vital info (mimes):

saddly not http://php.net/manual/en/function.exif-imagetype.php can only detect image mimes. So it fails on PDF files or similiar and return the application/octet-stream.

[freshlookweb]

Sorry for my ignorance...what is the solution? Do I have to add application/octet-stream to all my websites or will there be a Joomla update to fix this? Eric Schuster Fresh Look Web Design 757.646.7908 eric.schuster@freshlookwebdesign.com www.freshlookwebdesign.com

…

On Wed, May 17, 2017 at 1:11 PM, zero-24 ***@***.***> wrote: actually is not Joomla but the server (apache I guess) that is missing some vital info (mimes): saddly not http://php.net/manual/en/function.exif-imagetype.php can only detect image mimes. So it fails on PDF files or similiar and return the application/octet-stream. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#16086 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AbbZy5RaIMu19b23YnyLNUa24lOQnM-Rks5r6ypCgaJpZM4NeCo2> .

[freshlookweb]

Thanks guys. With this bug, is it wise for me to delay upgrading all 60+ of my websites to 7.1? Could I just wait for 3.7.2? Eric Schuster Fresh Look Web Design 757.646.7908 eric.schuster@freshlookwebdesign.com www.freshlookwebdesign.com

…

On Wed, May 17, 2017 at 2:20 PM, Phil Taylor ***@***.***> wrote: This will be looked at, and then a Pull Request made to fix this behaviour, and that, if tested, will make it into Joomla 3.7.2 — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#16086 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AbbZy55ygInU3spl-0E7mXDNqNYA-od0ks5r6zp_gaJpZM4NeCo2> .

[Bakual]

If you can risk getting hacked, feel free to delay upgrading to 3.7.1 😈

[zero-24]

Please check: #16091 and sorry for any inconvenience

[PetrCo]

What just helped me with other uploads after 3.7.1.: Administrator > Content > Media > Options > Check MIME Types > No

[zero-24]

What just helped me with other uploads after 3.7.1.: Administrator > Content > Media > Options > Check MIME Types > No

Sure you disable all security checks but it woud help if you could check the patch. At #16091 that should fix the issue. Thanks

[PetrCo]

What just helped me with other uploads after 3.7.1.: Administrator > Content > Media > Options > Check MIME Types > No
Sure you disable all security checks but it woud help if you could check the patch. At #16091 that should fix the issue. Thanks

THANKS!

[zero-24]

THANKS!

Did you tested the Patch? What was the result?

[PetrCo]

THANKS!
Did you tested the Patch? What was the result?

No, I did not, too complex for me, I am afraid. Just thank you for explaining that my "fix" is dangerous. :-) Switching Check MIME Types > Yes. Cannot wait for new update.

[PetrCo]

@PetrCo Well lets hope you have VERY trusted users then. We would never recommend running such a setting, use at your own risk

Got it, switching back to Yes :-)

[PetrCo]

I just tested the patch (3files in #16091), and I can confirm a successful upload (jpg, png, pdf).

[joomla-cms-bot]

Set to "closed" on behalf of @franz-wohlkoenig by The JTracker Application at issues.joomla.org/joomla-cms/16086

[ghost]

closed as having PR #16091

---

_{This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/16086.}

[OrignlCin]

I am stil having issues with this. Have updated to 3.72 running php 7.0.15.
systeminfo-2017-05-26T08_28_46-05_00.txt

[edthenet]

Oke, now we are more then a year further in time, and still this problem is there. I have Joomla! 3.8.6 and can't upload a PDF. I have added application/octet-stream and even set the check mimetype to NO, but still the media manager keeps saying that it's a wrong image. Is there another solution?

[uglyeoin]

I have arrived here with the same problem, I can confirm @edthenet s assertion that adding application/octet-stream doesn't solve the issue.

[goforitweb]

I have no idea how the Joomla developers consider this CLOSED. But I can tell you a workaround acceptable to some non-technical content contributors:

If you use JCE, you can use the LINK editor function, which allows you to browse and upload a PDF to the very same area that was determined "illegal". Go figure. Hopefully they won't take this away. :D

[ggppdk]

@PhilETaylor

yes as you said there is the topic of

• doing proper configuration
• (and) about having server with proper detection of mime ...

but the problem of @uglyeoin and @goforitweb
and of many others who result in using 3rd party media manager
is

• the false positives during the safety checks !!

Uploaded files are always treated as text even if they are binary
searching inside the file for
<?php
.php
.js

etc

The larger the file is the bigger chance you have a having a false positive

public static function upload($src, $dest, $use_streams = false, $allow_unsafe = false, $safeFileOptions = array())

and JCE runs with $allow_unsafe = true

	if (JFile::upload($src, $dest, $use_streams = false, $allow_unsafe = false)) {

Relevant issues
#15563
#20618
and
#8197

zips are not uncompressed but still they are scanned as text files
pdf are not parsed as PDF but still they are scanned as text files

[goforitweb]

“This was closed as there is nothing else to fix in Joomla.” -- @PhilETaylor

I respectfully disagree. An application developer's job is to provide a solution – whether it be Media Manager or something else – as a means of uploading PDFs … unless you are saying that you are completely against PDFs being on a website at all. And if that’s the case, SAY IT! And while you're at it - tell people what content contributors should use as a document object/method instead. You're not leaving us with a solution or guidance. The threads here a read by few, and it's way down in the weeds.

Obviously JCE goes around Joomla’s methods because people wanted a way, and Joomla wanted us to be safe. While it may not be ideal, and may be true, JCE is a lot closer to a user-friendly method.

[mbabker]

unless you are saying that you are completely against PDFs being on a website at all

Nobody's saying that. What is being said is that Joomla must be explicitly configured to support PDF uploads for various reasons and that we are not enabling this out-of-the-box. Extensions may be bypassing the Joomla upload checks, which is fine if they are doing their own checks. That's all it boils down to.

The absolute safest file upload method is to send the file to an authorized individual to perform a rudimentary virus scan and FTP upload. As a security measure, Joomla does not just arbitrarily allow any user to upload any file, there are checks in place to try and safely limit what kinds of files can be uploaded through the application since it cannot do an in-depth file scan like an offline scanner would to ensure you aren't uploading something malicious.

[goforitweb]

@mbabker

So I'm telling my non-technical content contributors (the clients!) to "send the file to an authorized individual (me??) to perform a rudimentary virus scan and FTP upload?" Exactly how do I do that with a straight face? 🗡️

[mbabker]

I said that's the safest, not that it would be the best option for everyone. File uploads are an inherent security risk in any application and if you're supporting them generally there should be explicit configuration about who can do them and what types of files are allowed (with appropriate server side checks before processing the upload). All I can do is say why we have our code set up in the way we do and why extensions which bypass those checks or other CMS' which don't make checks at all might be problematic down the road (not to say that any Joomla extension which bypasses the core upload processing is unsafe, they can be performing their own checks separately, I don't know the code of every extension and can't speak on it without proper audits).

[goforitweb]

@mbabker

I understand your point of view, i.e. of the developer. I really do. I used to be one many moons ago. :D

But you also know that DropBox still has ~45% of the market share with its shoddy security despite losing masssive amounts to its competitors. I won't even mention WP. Oops!

I think the happy medium here is to provide visible guidance (possibly in the Media Manager?) where content contributors learn and decide which route they want to take.

Leaving it up to the front line support people to do the unenviable task of explaining the almost-unexplainable is Chicken $hit. We're your promoters! Why hang us? Show the right way. Design a real solution and then market the difference!

[csthomas]

I added one more solution #20968