[pmwiki-users] problem with uploaded pictures : Triad skin

Petko Yotov 5ko at 5ko.fr
Fri Nov 10 10:46:19 PST 2023 

On 10/11/2023 18:18, Piotr Dybczyński wrote:
> Petko,
> thanks a lot for your help.
> 
> I have checked one by one all cookbooks and found several of them with
> MS-DOS/Windows double 'end of line' markers. After cleaning with the
> 'fromdos' command all pictures are accessible from my wiki pages.
> I cannot guess why this become a problem after so many years...

Unless you have a line break with line breaks before "<?php" or after 
"?>" I don't think it should cause the problem.

In fact, the extra character was "\n" (0x0a) and not "\r" (0x0d) or 
"\r\n", so I still suspect there may be a "?>" marker in some included 
script, and it should be removed.


> But the problem with uploading remain. It is not limited to pictures,
> even plain text file cannot be uploaded with the error message:
> 
> Token invalid or missing
> 
> Both pmwiki.php and scripts/upload.php are unmodified files from PmWiki 
> 2.3.27

Apparently the Triad skin defines a custom upload form, and the PmToken 
security functions were enabled in May, after the latest Triad version.

The token <input...> element can be added to triad.php into the 
$PageUploadFmt snippet like I explained.

Alternatively, you can disable PmToken, see the Release Notes page:

   https://www.pmwiki.org/wiki/PmWiki/ReleaseNotes#v2323

The PmToken functions mitigate the risks for Cross-Site Request Forgery 
vulnerabilities.

Petko


> --
> /************************************************************************
>                          dr Piotr A. Dybczyński
>  homepage: https://www.dybczynski.pl/Piotr   e-mail: 
> piotr at dybczynski.pl
> ******************************************************************PAD***/
> 
> W dniu 10.11.2023 o 13:26, Petko Yotov pisze:
>> On 10/11/2023 13:00, Piotr Dybczyński wrote:
>>> after upgrading PmWiki to version 2.3.27 under Debian 11 (PHP 7.4) I
>>> cannot see any previously uploaded pictures nor upload new ones.
>>> 
>>> When trying to display, in Firefox I read (unfortunately in Polish):
>>> 
>>> Obraz
>>>https://apollo.astro.amu.edu.pl/PAD/pmwiki.php?n=Wikicomet.Oumuamua?action=download&upname=startrek_30_1b.png”
>>> nie może zostać wyświetlony, ponieważ zawiera błędy.
>>> 
>>> It means: the picture ... cannot be displayed because it contains 
>>> errors
>> 
>> There is a linebreak (0x0a) character before the PNG stream in this 
>> picture.
>> 
>> The most frequent reason is some of your included files (in local/ or 
>> cookbook/) have closing markers "?>" followed by linebreaks.
>> 
>> It is recommended to remove the closing PHP markers in scripts.
>> 
>>> When trying to upload, I see:
>>> 
>>>  Token invalid or missing.
>> 
>> If you're using the normal PmWiki upload form, make sure you updated 
>> both pmwiki.php and scripts/upload.php.
>> 
>> If you're using a custom upload form, you need to add the "pmtoken" 
>> element. In wiki code, just add within the form:
>> 
>>    (:input pmtoken:)
>> 
>> If you customised $PageUploadFmt add this inside the <form>...</form> 
>> space:
>> 
>>    <input type='hidden' name='\$TokenName' value='\$TokenValue' />
>> 
>> If it is a raw HTML snippet, use this:
>>    <input type='hidden' name='$TokenName' value='$TokenValue' />
>> 
>> The raw HTML snipped should be passed through FmtPageName() to 
>> populate the values of the variables -- it probably already is.
>> 
>> Petko

More information about the pmwiki-users mailing list