[imp] Compose window hangs.

Brian Voils voilsb at gmail.com
Wed Aug 25 10:53:05 PDT 2004 

This might work.  It's taken from another thread, where I had a
problem with getting IMP to send attachments.  It would say the
attachment had been uploaded, but wouldn't in fact upload the file to
anywhere it could send it from.

I had to set $conf['tmpdir'] = 'tmp_location'; in horde/conf/conf.php
(near line 81).

Then I had to go to tmp_location and set permissions for it, for
tmp_location/.horde, for tmp_location/.horde/imp, and for
tmp_location/.horde/imp/attachments to 777 to allow the webserver to
write the file.

I cross posted this because I got the idea for fixing it from that thread.


Of course, now I'm curious where it puts the file when you uplaod it
and those are not set properly, since it manages to read the file size
and type from *somewhere* and from trying to get PHP to do exactly
this to generate a dynamic upload progress meter, I don't believe PHP
can read that information from the file prior to getting deposited on
the server somewhere.

On Sat, 21 Aug 2004 12:15:58 -0700, Brian Voils <voilsb at gmail.com> wrote:
> Safe mode's not turned on, or at least according to phpinfo() it's
> not.  The closest thing I could find in the FAQ was to set
> upload_tmp_dir to a good directory, but I can't seem to set that
> variable.  Setting it in .htaccess doesn't seem to have any effect.
> 
> But finally, if it *were* a permissions problem, why would the
> webserver have permissions to 1) write the file, 2) read the file size
> and mimetype from the file, 3) delete the file, but not 4) send the
> file.
> 
> I can provide screenshots should you desire to visually see what I'm
> talking about.
> 
> 
> 
> On Fri, 20 Aug 2004 22:54:42 -0700, Lord Apollyon <implist at paypc.com> wrote:
> >
> > > If I want to attach a file to an e-mail, I'll hit 'browse' and find a
> > > file.  Then I'll click 'attach' and it'll upload the file, and it'll
> > > claim it's attached to the message and it'll give filesize, mimetype,
> > > etc.
> > >
> > > Then I send the file, and there's no attachment.  Some mail readers
> > > will see an attachment with the appropriate filename but with a size
> > > of 0 bytes.  Other mail readers (like IMP) will simply say there's no
> > > attachment.  I can even go to my sent-items folder and it'll claim
> > > there's no attachment to the file.
> >
> > This sounds suspiciously like an upload directory permissions problem, a
> > misconfigured Safe Mode related problem, or a mixture of the two.
> >
> > You need to figure out what the setting for PHP's upload directory is for
> > webserver.  If Safe Mode is enabled, then your copy of IMP will need to
> > match the ownership of that directory, otherwise IMP will be blocked from
> > touching and handling those files (which will be owned by the UID/GID of the
> > running webserver process).
> >
> > Setting safe_mode_gid to TRUE and convincing your admin to chgrp wwwgroup
> > (or whatever it's called) would resolve this without throwing away Safe Mode
> > protections.
> >
> > You're in a tough spot, as a loser-user (as opposed to an administrator).
> > The webserver runs as its own UID/GID, which is not root and not you.
> >
> > You have IMP code owned by you with your UID/GID.  Uploads will always be
> > owned by the webserver's UID.  You see the problem.
> >
> > Multi-user installations of PHP usually like to enable Safe Mode to reduce
> > the likelihood of one user being able to browse and read other users' files
> > through the PHP file/directory navigation and read calls.
> >
> > As some may rush forward to protest that Safe Mode is an application-level
> > "hack" or "fictional access control", I will submit that in the commonly
> > configured case of Apache installations, this is probably most accessible
> > method to reduce the attack profile of PHP's file-accessor calls.  Proper
> > UNIX permissions with its restrictive 3x3 model can only go so far,
> > especially when coupled with the security contexts in which Apache runs.
> >
> > With proper ACLs or even perhaps one of the more exotic MPMs
> > ("per-UID/threaded") of Apache 2, this problem could be properly addressed.
> >
> > =R=
> >
> > --
> > IMP mailing list - Join the hunt: http://horde.org/bounties/#imp
> > Frequently Asked Questions: http://horde.org/faq/
> > To unsubscribe, mail: imp-unsubscribe at lists.horde.org
> >
> 
> 
> --
> Brian Voils
> 541-753-6677
> brian at voils.net
> 


-- 
Brian Voils
541-753-6677
brian at voils.net

More information about the imp mailing list