Image rotation

When I try to rotate an image via zenphoto, i get an error: "“albumedit” Cross Site Request Forgery blocked." What is causing this?

Comments

  • acrylian Administrator, Developer

    Generally it means the internal XSRFtoken is not matching which is partly based on the session. Just tried locally and on our own site and it is working as expected to me. Any other errors in the logs?

  • I don't see anything in the logs that points to zenphoto directory. It here a way to turn off the check to test this theory?

  • I found this in the zenphoto security logs:
    2018-10-13 16:01:40 #.#.#.# Cross Site Reference admin fName lName Blocked albumedit

  • acrylian Administrator, Developer

    Yeah, that is the error if the tokens don't match. Sorry I cannot tell why they won't. Try to clear cookies and caches in the browser used.

    You cannot turn of this check expect hacking core files.

  • I cleared the browser cache/cookies and restarted the browser (FireFox) and got the same error.

  • acrylian Administrator, Developer

    Then I have no idea except that something is wrong with sessions. You could "hack" the XSRFtoken() function and add a debuglog() call to it.

  • Where are the sessions stored?

  • Looking at the admin screen, I see " PHP Session path: /tmp". Is that inside my public_html folder? ~/public_html/tmp or ~/tmp on my hosting service? I see no session information in either of these locations.

  • Further inspection revealed that /tmp is at the root of the server filesystem. My user has rw- and there is no other perms on this session data. Can this be why? doesn't the session data need to be writeable by the web server user?

  • acrylian Administrator, Developer
    edited October 2018

    Actually where the server puts session data is server configuration as is the rights management needed for that. Don't have the code in front of me but ZP only set a path if none is defined by the server or so. Can you maybe check your server config (via phpinfo for example).

  • From phpinfo():

    sys_temp_dir = ~/public_html/tmp
    session.save_path = /tmp

  • acrylian Administrator, Developer

    That at least matched what you reported above. Why the permissions are not correct I cannot really tell. Maybe ask your host for assistance?

Sign In or Register to comment.