Defect #43075
closed
Attachments 403 xhr error suddenly occurring
0%
Description
Think this might be after a chrome or windows security update but in the last week all of a sudden, certain files give a 403 xhr error. It's not consistent - 2 files, both jpg, one works, one does not. This is with an old 3.4.3 version (have lots of plugins). And normally would not bother the community because this is so old, but thought i would ask in case anyone else is seeing the same in the last week or so. Any ideas?
Environment:
Redmine version 3.4.3.stable
Ruby version 2.3.5-p376 (2017-09-14) [x86_64-linux]
Rails version 4.2.8
Environment production
Database adapter Mysql2
error -
POST https://<xxxservernameherexxx>.com/uploads.js?attachment_id=3&filename=1-profile-002.jpg&content_type=image%2Fjpeg 403 (Forbidden) send @ jquery-1.11.1-ui-1.1…1.4.js?1508097600:4 ajax @ jquery-1.11.1-ui-1.1…1.4.js?1508097600:4 window.uploadBlob @ image_paste.js?1510757267:19 actualUpload @ attachments.js?1508097600:56 ajaxUpload @ attachments.js?1508097600:85 addFile @ attachments.js?1508097600:27 (anonymous) @ attachments.js?1508097600:168 each @ jquery-1.11.1-ui-1.1…1.4.js?1508097600:2 uploadAndAttachFiles @ attachments.js?1508097600:168 addInputFiles @ attachments.js?1508097600:141 onchange @ 6930:1
Updated by Matthew Paul 1 day ago
If I take a jpeg and run it through a file converter and save it back as a jpeg it seems to work. So it must be something to do with the internal metadata of the file not being correct, maybe the MIME security has been upgraded recently?
Updated by Holger Just 1 day ago
- Description updated (diff)
- Status changed from New to Needs feedback
This is likely caused by a plugin in your browser, or a firewall (with a "security" proxy) or a proxy server in use your organisation which blocks certain requests. It's likely that your specific file triggers some security rule there.
Check if you can disable all virus scanners and on your computer, disable ad blockers in your browser and check if you are using a proxy server. If the issue still persists, check the server logs on your Redmine server in log/production.log.
Updated by Matthew Paul 1 day ago
Thanks - I've done some of that already, will try your other suggestions also and report back - appreciated - thanks again!
Updated by Matthew Paul about 17 hours ago
SOLUTION - As Holger Just suggested, it was indeed a firewall issue, although it took a lot of time to find out exactly where that was happening, so will note here for the community in case anyone else gets the same.
ISSUE - certain files were getting a 403 (Forbidden) XHR error. So for one jpeg it would work, for another it would not. this happened immediately you selected the file, NOT when you hit submit. So I figured it was happening at the client side, either in the attachments.js code or else in the client firewalls (I run malwarebytes and windows firewall). Spent a long time looking at those, but the key was that if you open up the devtools (F12) and look at the error, it actually had additional info that the 403 was being returned by Cloudflare, not by my Laptop client.
Then took a while to track it down, and it was in a standard set of rules that Cloudflare runs, specifically "Cloudflare OWASP Core Ruleset". Now, to test whether it's that causing the problem is easy - just turn off the rule under Security>WAF>Managed Rules>Enabled>Off. So then immediately the problem jpeg file would upload ok. But I still really want those rules to operate, and in fact what happens is that cloudflare analyzes all files going through it, and in this case it activated 6 rules worth 5 points each for a threat level of 30. Well, the threshold is set to 25 by default, and so it was triggering and rejecting.
All I did to fix was to go to that rule>Edit>OWASP Anomaly Score Threshold>Change from 25 (High) to 40 (Medium). Still secure and would trigger for infected files, but a little less stringent so as to allow files through that might have various stuff like macros on a docx, or special characters in a PDF etc.
Again, thanks for your suggestion Holger, and hope anyone else getting this issue will be helped if they encounter something similar.
ADMIN - please CLOSE this issue, it is resolved.
Updated by Holger Just about 16 hours ago
- Status changed from Needs feedback to Closed
- Resolution set to Invalid
Thanks for your feedback. I'm closing this issue as invalid as it did not describe an issue in Redmine.
(You should still work on upgrading your Redmine version. It has quite a number of known security issues itself and in its dependency packages and will become constantly harder to run on modern operating systems.)