["upload" Cross Site Request Forgery blocked] while uploading an image

yegorov-p

Hi everyone.

I've installed zenphoto 1.3.1 and it's really awesome! But I have some troubles with uploading of the images. It's ok, but sometimes, when I try to upload an image, a message ""upload" Cross Site Request Forgery blocked" returns. It shows only on some images, not at all of them. Can anyone explain, why is it happening and how to fix it?
P.S. I'm using IIS v6.0 on Windows Server 2003.

yegorov-p

This is a part of log right after that error appears.
`2010-08-10 21:04:46 10.103.21.178 Log deleted admin admin Success zp_admin security_log.txt

2010-08-10 21:04:55 10.103.21.178 XSRF access blocked admin admin Failed upload

`

sbillard

Can you describe in detail how you did the upload? What is the difference between when it works and when it does not?

"Sessions" must work in PHP for this to work at all. I doubt that is the problem because if it were, no admin saves would work. But maybe there is an issue with IIS where sessions are not reliable.

yegorov-p

Well, for example, I have two pictures. I go to "upload tab", select an album, where it will be uploaded, click on "Browse" button, select first picture and press "Upload". It uploads and everything is ok. Then I do everything again, only at the end I select second picture, and subj error appears. But, if I somehow change it in mspaint or photoshop, and then save it, everything is ok. It's not very often error, so it doesn't make a lot of troubles, in fact, I had that problem only with 7 pics from nearly 150.

yegorov-p

UPD: This error always appears, when I try to upload several images.

sbillard

Which version of the upload are you using? The HTTP or the Javascript one?

yegorov-p

"http-browser single file upload".
PS It's Firefox 3.6.8, maybe it matters.

sbillard

It might help to try another browser if you can. I am not able to reproduce this failure. Nor does it make any sense that it would work for a single file but fail for multiple files as the check is done only once, then ALL files are processed.

If the browser causes multiple POSTS without supplying all the paramters then that could cause the problem. I've tried on Firefox 3.6.7 on a PC with no issues.

kagutsuchi

I can reproduce this with the Firefox nightly and IE8. The Flash uploader works fine. Uploading a single image with the HTTP uploader works fine. But more than one always fails for me; none of the images are present on the server.

sbillard

Do you also get the cross site request forgery error?

What is your server configuration?

(IE8 works just fine for me.)

kagutsuchi

Yeah, I get the XSRF error with both 1.3.1 and the SVN version. It's a Linux server (Red Hat I think) with PHP 5.2.13. Everything is default for both installations. I'm not too sure what other information might help.

It's strange though... I tried to use Firebug to check if there are multiple POSTs, but having Firebug open makes it work correctly.

kagutsuchi

Oh, also it's an Apache server, not IIS. And I should mention that the error doesn't occur for me with just selecting files; after I hit the Upload button, it seems as though it uploads at least the first file, then redirects me to the Overview page with the XSRF error. Looking in FTP shows that nothing was actually uploaded, however.

kagutsuchi

The XSRF error is a red herring; the actual error is most likely that you're uploading so much at once that the size of the `POST` data exceeds the value of your server's `post_max_size`. When this happens, the default behavior is that uploads will fail. This was the problem for me, so I would assume it is for you as well. Your server should be producing an error to affirm this whenever an upload fails.