Warning: File not uploaded for security reasons

This forum is for general questions about extensions for Joomla! 3.x.

Moderators: pe7er, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
beau18907
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 112
Joined: Sun Jul 18, 2010 2:35 pm

Warning: File not uploaded for security reasons

Post by beau18907 » Sun Jul 19, 2015 2:28 pm

I have a component that allows uploads of zip files. Recently I tried to upload one of my updated zip files but I get Warning: File not uploaded for security reasons!
Never got this before. Am running Joomla version 3.4.3.
Tracked down that the media files options need to have the file type of zip added, do so. Still doesn't allow me to upload this type.
My component has been around for over 2 years and never had this problem before.

Would appreciate some help on this one.
Last edited by Per Yngve Berg on Sat Nov 07, 2015 2:58 pm, edited 2 times in total.
Reason: topic moved from security to extension, duplicate/xpost topics merged. please do not xpost as it wastes time, spreads answers accross the forum and casuses confusion, http://forum.joomla.org/viewtopic.php?f=8&t=65

 
User avatar
AMurray
Joomla! Champion
Joomla! Champion
Posts: 5360
Joined: Sat Feb 13, 2010 7:35 am
Location: Australia

Re: Warning: File not uploaded for security reasons

Post by AMurray » Sun Jul 19, 2015 10:08 pm

Could it be a change your host hasn't informed you of such as they recently started blocking that file type?
Tracked down that the media files options need to have the file type of zip added, do so. Still doesn't allow me to upload this type.
Assuming that means you checked Media Manager / Options. Check the file types allowed there; they might override anything you put in the actual extension's options.
Regards,
--------------------------------------------------------------
A Murray
Millennium Falcon - it's the ship that made the Kessel run in less than 12 parsecs! The fastest hunk of junk in the galaxy.

beau18907
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 112
Joined: Sun Jul 18, 2010 2:35 pm

Re: Warning: File not uploaded for security reasons

Post by beau18907 » Mon Jul 20, 2015 11:23 am

It's not the webhost, the warning message is from Joomla. Yes I checked the media manager options, added zip and ZIP. Still fails.

User avatar
ionut
Joomla! Ace
Joomla! Ace
Posts: 1264
Joined: Thu May 27, 2010 1:00 pm
Location: EU

Re: Warning: File not uploaded for security reasons

Post by ionut » Mon Jul 20, 2015 11:25 am

Maybe the component has its own options where you need to add the file type. If not, you should contact the developer, he should know the solution to your problem.

beau18907
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 112
Joined: Sun Jul 18, 2010 2:35 pm

Re: Warning: File not uploaded for security reasons

Post by beau18907 » Mon Jul 20, 2015 1:50 pm

I am the developer. This has been working for the past 2 years. This seems to have started with the most recent Joomla updates. I created the the file locally, then moved it up to my host. Works fine now.

User avatar
Bernard T
Joomla! Guru
Joomla! Guru
Posts: 782
Joined: Thu Jun 29, 2006 11:44 am
Location: Hrvatska
Contact:

Re: Warning: File xxx.zip not uploaded for security reasons!

Post by Bernard T » Sat Sep 05, 2015 5:42 pm

Which component?
VEL Team || Security Forum || PHP/Web Security Specialist || OWASP member
JAMSS author http://forum.joomla.org/viewtopic.php?f=621&t=777957
Twitter: @toplak

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 11936
Joined: Thu Feb 15, 2007 5:48 am
Location: Suzhou, China

Re: Warning: File xxx.zip not uploaded for security reasons!

Post by toivo » Sat Sep 05, 2015 5:48 pm

Toivo Talikka, Global Moderator

beau18907
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 112
Joined: Sun Jul 18, 2010 2:35 pm

Re: Warning: File xxx.zip not uploaded for security reasons!

Post by beau18907 » Sat Sep 05, 2015 6:33 pm

It's a Classified Ads component that I developed. Has been in production for 3 yrs (since Joomla 1.5)

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 11936
Joined: Thu Feb 15, 2007 5:48 am
Location: Suzhou, China

Re: Warning: File xxx.zip not uploaded for security reasons!

Post by toivo » Sat Sep 05, 2015 7:04 pm

The warning is generated by /libraries/joomla/filesystem/file.php on line 471 when the file is found unsafe by the method JFilterInput::isSafeFile().

The method isSafeFile() is defined in /libraries/joomla/filter/input.php and it was introduced in 3.x to check the uploaded file for "suspicious naming and potential PHP contents which could indicate a hacking attempt".

Files get rejected by default if:
- there is a null byte in the file name
- the extension is forbidden, for example .php, inc, py etc
- there is a php tag in the content
- there is a short tag in the content
- if there is a forbidden extension anywhere in the content

If you your component allows PHP files to be uploaded and calls the method JFile::upload() but does not set the call parameter to allow unsafe or does not turn off the relevant safe file options, as listed above, the upload will fail.
Toivo Talikka, Global Moderator

beau18907
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 112
Joined: Sun Jul 18, 2010 2:35 pm

Re: Warning: File xxx.zip not uploaded for security reasons!

Post by beau18907 » Sat Sep 05, 2015 7:26 pm

This is the file name mod_featuredadsj2.5-3.0v5.1.zip
I have altered the media option to allow zip and ZIP
don't see a php or short tag in the content ( only one folder within the zipped file (mod_featuredads)) within that folder are:
folder - FeaturedFiles
folder - language
index.html
mod_featuredads.php
mod_featuredads.xml

I use JFile:upload() it did not have set the boolean parameter Unsafe to true, but I did set and the upload was still rejected.

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 11936
Joined: Thu Feb 15, 2007 5:48 am
Location: Suzhou, China

Re: Warning: File xxx.zip not uploaded for security reasons!

Post by toivo » Sat Sep 05, 2015 9:30 pm

There is another possibility for the error to get triggered. When your script accepts the name of the file from the input form, unless the filter parameter is 'raw', the file name gets passed to the function JFilterInput::isSafeFile() without any options and consequently the default options are set, which means that '.php' and even '.zip' become forbidden extensions and the upload operation bombs out.

These lines from /administrator/components/com_installer/models/install.php are self explanatory:

Code: Select all

		// Get the uploaded file information.
		$input    = JFactory::getApplication()->input;
		// Do not change the filter type 'raw'. We need this to let files containing PHP code to upload. See JInputFiles::get.
		$userfile = $input->files->get('install_package', null, 'raw');
By the way, this thread could really be in 3.x Coding. Do you mind if we move it there?
Toivo Talikka, Global Moderator

beau18907
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 112
Joined: Sun Jul 18, 2010 2:35 pm

Re: Warning: File not uploaded for security reasons

Post by beau18907 » Sun Sep 06, 2015 10:30 pm

- there is a php tag in the content
- there is a short tag in the content
This got me thinking.

I have a text date file (last_date.php) that I use to check for expiration of items. Sure enough that was the culprit. Only time the conflict comes up is when I was uploading the extension. It was never a problem running the extension.
Modified the way the file was written, that solved the problem.

Thanks for your help.
Last edited by beau18907 on Mon Sep 07, 2015 11:19 am, edited 1 time in total.

User avatar
toivo
Joomla! Master
Joomla! Master
Posts: 11936
Joined: Thu Feb 15, 2007 5:48 am
Location: Suzhou, China

Re: Warning: File not uploaded for security reasons

Post by toivo » Sun Sep 06, 2015 10:58 pm

That is good news. It was an interesting exercise in the essentials of security.

Please edit the first post of this thread and select the green tick as the post icon, to mark the issue as resolved.
Toivo Talikka, Global Moderator

beau18907
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 112
Joined: Sun Jul 18, 2010 2:35 pm

Re: Warning: File not uploaded for security reasons

Post by beau18907 » Mon Sep 07, 2015 11:22 am

Because this original post had been moved to another category, there is no EDIT icon available. So I up-ticked my last post.

User avatar
Ratmil
Joomla! Explorer
Joomla! Explorer
Posts: 318
Joined: Sat Dec 06, 2008 7:07 pm

Re: Warning: File not uploaded for security reasons

Post by Ratmil » Wed Sep 16, 2015 1:06 pm

I am the same issue. It started to happen after upgrading to Joomla 3.4.4

User avatar
Ratmil
Joomla! Explorer
Joomla! Explorer
Posts: 318
Joined: Sat Dec 06, 2008 7:07 pm

Re: Warning: File not uploaded for security reasons

Post by Ratmil » Wed Sep 16, 2015 1:13 pm

I am having this problem with Phocadownload.

sclg
Joomla! Intern
Joomla! Intern
Posts: 84
Joined: Mon Nov 06, 2006 7:46 pm
Location: Gloucestershire, UK

Re: Warning: File not uploaded for security reasons

Post by sclg » Wed Sep 16, 2015 1:15 pm

This is also happening to me with a JCE add-in and you can't get much more ubiquitous than that!
"...jce_filemanager_218.zip not uploaded for security reasons!"
Steve

User avatar
Ratmil
Joomla! Explorer
Joomla! Explorer
Posts: 318
Joined: Sat Dec 06, 2008 7:07 pm

Re: Warning: File not uploaded for security reasons

Post by Ratmil » Wed Sep 16, 2015 2:10 pm

Not even enabling FTP at the site.

sclg
Joomla! Intern
Joomla! Intern
Posts: 84
Joined: Mon Nov 06, 2006 7:46 pm
Location: Gloucestershire, UK

Re: Warning: File not uploaded for security reasons

Post by sclg » Wed Sep 16, 2015 2:24 pm

sclg wrote:This is also happening to me with a JCE add-in and you can't get much more ubiquitous than that!
"...jce_filemanager_218.zip not uploaded for security reasons!"
Steve
... and as of today, JCE have an update to fix it.
Steve

User avatar
Ratmil
Joomla! Explorer
Joomla! Explorer
Posts: 318
Joined: Sat Dec 06, 2008 7:07 pm

Re: Warning: File not uploaded for security reasons

Post by Ratmil » Wed Sep 16, 2015 5:03 pm

Phocadownload doesn´t.

azri445
Joomla! Apprentice
Joomla! Apprentice
Posts: 17
Joined: Fri Oct 09, 2009 1:36 pm

Re: Warning: File not uploaded for security reasons

Post by azri445 » Tue Sep 22, 2015 7:39 am

Im also having the same problem, normally i dont have any problem on installing my cometchat.

i got this error:

Warning
Warning: File /plugins/cometchat.zip not uploaded for security reasons!

deyana_tg
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Wed Jun 24, 2009 10:53 am

Re: Warning: File not uploaded for security reasons

Post by deyana_tg » Tue Oct 13, 2015 7:52 am

Hi, I have the same error. I use PhocaDownload and I want to upload .zip file with name like this: ex201510050100000390.zip. I think the problem is with the name because when I renamed file with other name - gd201510050100000390.zip it was uploaded. :-) But it's important for me to use file names starting with ex...
Jan in Phoca forum answered: "Yes, this seems like Joomla! upload method evaluates it as problematic, I hope I will finish the upgrade soon, so this will be changed."

I hope there is another solution for this problem - in Joomla. Isn't it? :-(
Last edited by toivo on Tue Oct 20, 2015 12:04 pm, edited 2 times in total.
Reason: mod note: duplicate posts not allowed, post removed

Hoffi
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Mon Aug 16, 2010 12:36 pm

Re: Warning: File xxx.zip not uploaded for security reasons!

Post by Hoffi » Tue Oct 27, 2015 2:19 pm

Hi everyboy,

I hope that's the right place to talk about the reason for this rejection, especially since the good fixes in J! 3.4.5.

As toivo wrote (I quote the important parts only):
toivo wrote:The warning is generated by /libraries/joomla/filesystem/file.php on line 471 when the file is found unsafe by the method JFilterInput::isSafeFile().
...
Files get rejected by default if:
- ...
- if there is a forbidden extension anywhere in the content
If you look into the code you'll see that searching for "forbidden extension anywhere in the content" is realised by reading the archive files and searching for strings like ".php", ".py" or something like this.

That means: If the compressor creating the file produces a byte sequence accidentally matching one of the buzzwords this archive is rejected - also if it only contains totally harmless text files and no one of the forbidden extensions exist when uncompressed. For example for ".py" we have three bytes so there is a chance of 1 : 2^24 - on a large archive with 16 MByte we have statistically... ;)

That also means on the other hand: If you have a very bad php file sending your credit card information to me but have it inside a tgz file isSafeFile() will return true because it can't see ".php" which is streamed into tar before compressed. So this tgz will be uploaded without problems.

So as summary the "fobidden_ext_in_content" check (please note the typo - but that's a different story) does not really increase security but may cause a lot of false positives.
For our extension I can deactive this test but users of other extesions like Kunena, PhocaDownload etc. may have such problems. So a solution on Joomla level would be good. Unfortunately I don't have the solution. The simplest could be to deactivate this single test by default. The better but much more complicated way would be to analyse the archives type-specific, like uncompress and parse.
But currently there is no way for a site admin to configure how restrictive Joomla should be.

Thanks,
Hoffi

Edit: Also filed on GitHub as issue #8197.

User avatar
Ratmil
Joomla! Explorer
Joomla! Explorer
Posts: 318
Joined: Sat Dec 06, 2008 7:07 pm

Re: Warning: File not uploaded for security reasons

Post by Ratmil » Thu Oct 29, 2015 3:14 pm

That error is because there is some component making a call to JFile::upload.
The fix is changing the call to something similar to the following:

Code: Select all

JFile::upload($tmp_src, $tmp_dest, false, true);
The important thing here is to set the fourth parameter to true ($allow_unsafe = true).

Hoffi
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Mon Aug 16, 2010 12:36 pm

Re: Warning: File not uploaded for security reasons

Post by Hoffi » Thu Oct 29, 2015 3:52 pm

Hi Ratmil,

the cause are NOT all the components calling JFile::upload and the solution is NOT switching off all the checks by setting parameter allow_unsafe to true.

The cause is the code within JFilterInput::isFileSafe which stupidly searches string pattern within binary content and so creates false positives.

You described the result, not the cause.

User avatar
lsampathl
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Mon Jul 12, 2010 8:51 pm
Location: Hyderabad, India
Contact:

Re: Warning: File not uploaded for security reasons

Post by lsampathl » Thu Oct 29, 2015 4:49 pm

I am having the same problem. Nothing was getting uploaded whatever the component file it might be, but i solved it myself..

In my case the culprit was installer plugin by akeeba backup... I have disabled akeeba optimised installation and switched to standard joomla installer. Now everything is working fine. :)

Hoffi
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Mon Aug 16, 2010 12:36 pm

Re: Warning: File not uploaded for security reasons

Post by Hoffi » Thu Oct 29, 2015 5:57 pm

Hi lsampathl,

the installer plugin you talk about isn't part of the free version, isn't it?
But because it's the same author it wouldn't surprise me if there's the same check.

Joomla's installer instead switches off all checks by calling

Code: Select all

JFile::upload($tmp_src, $tmp_dest, false, true);
as Ratmil suggested above.

In that case it's acceptable expecting the admin knows what (s)he does. ;)
But in cases where e.g. all registered users can upload things some basic checks would be reassuring as long as they work mostly accurate.

Ironside
Joomla! Ace
Joomla! Ace
Posts: 1733
Joined: Mon Nov 13, 2006 8:01 pm
Contact:

Re: Warning: File not uploaded for security reasons

Post by Ironside » Fri Nov 06, 2015 2:20 pm

I have just upgraded a couple of 2.5 websites to 3.4.5 and I'm getting exactly the same message when trying to install new templates.
Ham and eggs. A day's work for a chicken, a lifetime commitment for a pig.

http://www.tetraplegicliving.com
http://www.oscarfishlover.com

Ironside
Joomla! Ace
Joomla! Ace
Posts: 1733
Joined: Mon Nov 13, 2006 8:01 pm
Contact:

Re: Warning: File not uploaded for security reasons

Post by Ironside » Sat Nov 07, 2015 12:24 pm

Finally solved the problem I was having was trying to upload templates and getting this fault. In my case, I had to disable the system restore points plug-in. I should have read the message really that was coming up, could have saved myself two days of frustration.
Ham and eggs. A day's work for a chicken, a lifetime commitment for a pig.

http://www.tetraplegicliving.com
http://www.oscarfishlover.com

User avatar
Ratmil
Joomla! Explorer
Joomla! Explorer
Posts: 318
Joined: Sat Dec 06, 2008 7:07 pm

Re: Warning: File not uploaded for security reasons

Post by Ratmil » Mon Nov 09, 2015 1:45 pm

A solution for Phocadownload, for example, would be to add an action called "Unsafe upload". This way some users could be allowed to upload "unsafe" files.

 

Locked

Return to “Extensions for Joomla! 3.x”