Project

General

Profile

Actions

Defect #26398

closed

Unable to upload attachments

Added by Guillaume Rossolini over 7 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Attachments
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Invalid
Affected version:

Description

Hi,

We just upgraded from a 3.3.0 install and we found this in the logs when uploading attachments:

Started POST "/uploads.js?attachment_id=1&filename=Nouveau%20document%20texte.txt&content_type=text%2Fplain" for **ANON** at 2017-07-10 10:55:02 +0200
Processing by AttachmentsController#upload as JS
  Parameters: {"attachment_id"=>"1", "filename"=>"Nouveau document texte.txt", "content_type"=>"text/plain"}
  Current user: **ANON** (id=7)
Saving attachment '/srv/www/redmine-3.4.1/files/2017/07/170710105502_6790b8cc76837a645a85dd36cf99e75f.txt' (0 bytes)
Completed 500 Internal Server Error in 15ms (ActiveRecord: 2.3ms)

ActiveRecord::StatementInvalid (Mysql2::Error: Data too long for column 'digest' at row 1: INSERT INTO `attachments` (`author_id`, `filename`, `content_type`, `created_on`, `disk_directory`, `disk_filename`, `digest`) VALUES (7, 'Nouveau document texte.txt', 'text/plain', '2017-07-10 10:55:02', '2017/07', '170710105502_6790b8cc76837a645a85dd36cf99e75f.txt', 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855')):
  app/controllers/attachments_controller.rb:97:in `upload'
  lib/redmine/sudo_mode.rb:63:in `sudo_mode'

A quickfix is to add this to database.yml:

  strict: false

But a better fix would probably be to change the table structure in the DB.
(maybe I missed an upgrade script, but I didn't find any)

Actions #1

Updated by Guillaume Rossolini over 7 years ago

I should have looked up the migration guide
RedmineUpgrade

However, the core issue stands: I am unable to attach files to tickets.
The new problem is that the AJAX upload works halfway: the AJAX response contains some JS code to update the HTML form with the token, but that doesn't happen. There is no error in the browser console and all depencencies are fetched, but the input.token node doesn't get its value.

Here is an example:

POST /redmine/uploads.js?attachment_id=2&filename=CGV.doc&content_type=application%2Fmsword HTTP/1.1
Host: office.instantluxe.com
Connection: keep-alive
Content-Length: 559104
Origin: https://office.instantluxe.com
X-CSRF-Token: **ANON**
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3152.0 Safari/537.36
Content-Type: application/octet-stream
Accept: application/js
X-Requested-With: XMLHttpRequest
DNT: 1
Referer: **ANON**
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8,fr;q=0.6
Cookie: **ANON**

HTTP/1.1 200 OK
Date: Mon, 10 Jul 2017 09:52:07 GMT
Server: Apache/2.4.10 (Debian)
Cache-Control: max-age=0, private, must-revalidate
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Runtime: 0.022208
X-Request-Id: 2a06e6e4-f40e-4148-864b-79997a55c37a
X-Powered-By: Phusion Passenger 5.1.5
ETag: **ANON**
Status: 200 OK
Content-Type: text/javascript; charset=utf-8
Set-Cookie: **ANON**
Vary: Accept-Encoding
Content-Encoding: gzip
Strict-Transport-Security: max-age=15768000
Content-Security-Policy: upgrade-insecure-requests; default-src 'self' 'unsafe-inline'; object-src 'none'
Accept-Ranges: none
Content-Length: 225
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive

var fileSpan = $('#attachments_2');
fileSpan.find('input.token').val('7397.7e5f26089669be0ee142410d83a691f94a78eb60');
fileSpan.find('a.remove-upload')
  .attr({
    "data-remote": true,
    "data-method": 'delete',
    href: '/redmine/attachments/7397.js?attachment_id=2'
  })
  .off('click');

And here is the input after the request:

<span id="attachments_2" class=""><input type="text" class="icon icon-attachment filename readonly" name="attachments[2][filename]" readonly="readonly"><div class="ui-progressbar ui-widget ui-widget-content ui-corner-all" role="progressbar" aria-valuemin="0" aria-valuemax="100" aria-valuenow="100">OK</div><input type="text" class="description" name="attachments[2][description]" maxlength="255" placeholder="Optional description" style="display: none;"><input type="hidden" class="token" name="attachments[2][token]"><a href="#" class="icon-only icon-del remove-upload" style="display: none;">&nbsp;</a></span>

What is interesting, is that :
  • the form does visually change after the upload, so some of the JS gets executed;
  • manually executing this block of JS has the intended effect on the input.
Actions #2

Updated by Toshi MARUYAMA over 7 years ago

  • Status changed from New to Needs feedback

Did you run "rake db:migrate"?

Actions #3

Updated by Guillaume Rossolini over 7 years ago

Yes, see my comment above: the DB schema issue is resolved, but I still can't upload files. Sorry for the confusion.

Actions #4

Updated by Toshi MARUYAMA over 7 years ago

Why do you use Chrome/61?
What plugins do you use?
See submissions.

Actions #5

Updated by Guillaume Rossolini over 7 years ago

What's confusing me is that the fileSpan.find('a.remove-upload') line works, while the fileSpan.find('input.token') line doesn't appear to have any effect even though it is correct and it gets executed sooner.

Why not using Chrome/61 when you are in webdev yourself ;) It is fairly stable and it has nice features.
I didn't take the time to try any other browser, maybe I should have.

As for the plugins and other info, I'll hand this off to someone else tomorrow.

Actions #6

Updated by Toshi MARUYAMA over 7 years ago

Guillaume Rossolini wrote:

Why not using Chrome/61 when you are in webdev yourself ;) It is fairly stable and it has nice features.

AFAIK, Chrome/61 is beta.

Actions #7

Updated by Guillaume Rossolini over 7 years ago

Toshi MARUYAMA wrote:

AFAIK, Chrome/61 is beta.

Yes it is, but we did try with a Stable version of Chrome and we had the same results. Also the same results with Firefox (Stable).

Here is our install info:

Environment:
 Redmine version                3.4.1.stable
 Ruby version                   2.1.5-p273 (2014-11-13) [x86_64-linux-gnu]
 Rails version                  4.2.8
 Environment                    production
 Database adapter               Mysql2
SCM:
 Subversion                     1.8.10
 Git                            2.1.4
 Filesystem
Redmine plugins:
 progressive_projects_list      1.0.0
 redmine_bootstrap_kit          0.1
 redmine_checklists             3.1.5
 redmine_custom_css             0.1.4
 redmine_http_basic_authentication 0.0.1
 redmine_issue_detailed_tabs_time 0.1.0

Actions #8

Updated by Toshi MARUYAMA over 7 years ago

  • Status changed from Needs feedback to Closed
  • Resolution set to Invalid

I cannot reproduce on vanilla Redmine 3.4.1.

$ cat /etc/centos-release
CentOS Linux release 7.3.1611 (Core)

$ rpm -qf `which google-chrome-unstable` 
google-chrome-unstable-61.0.3141.7-1.x86_64
Actions #9

Updated by Guillaume Rossolini over 7 years ago

The app seems to send the AJAX response as Content-Type: text/javascript instead of the usual application/javascript, and the Content-Security-Policy may not see that as legitimate.

Actions

Also available in: Atom PDF