Recently we began to upgrade our instance from 2.4.8.1 to 3.1.2.1. Many years ago we had an incident with our site where an attacker uploaded an executable which was then called remotely and changed the index.php and hence the entire site. The content displayed on this site comes from initially unknown authors, who upload there content for review and editing. Once it has been refined, normal channels are used to publish it for all users. But, as a result, we need to leave the site open for anyone to upload files. To get around this, in 2.4.8.1, I wrote a simple extension to the /classes/files/ArticleFileManager.inc.php file that checked the file extension on the file to be uploaded, and did not allow any files that weren’t .PDF or .DOC files. I don’t specifically remember how I discovered where to make this change, but I’m guessing it was through this forum. Can you lead me in the correct direction to make a similar change for 3.1.2.1. I looked in /classes/file, and reading the code there lead me to lib/pkp/classes/file. I tried to modify the FileManager.inc.php in that directory, but this didn’t seem to work
Hi @wklyons,
There’s a plugin in the Plugin Gallery called “Allowed Uploads” that you can use to limit upload types.
But beyond that, you should definitely make sure your files directory (files_dir
in config.inc.php
) is outside your web root or protected from direct access using something like an .htaccess
file; otherwise you’re exposing your submission files for download by anyone who can guess their filenames.
Regards,
Alec Smecher
Public Knowledge Project Team
Thanks Alec. I’ve looked in my Installed Plugins and Plugin Gallery and don’t see one called “Allowed Uploads”. Is this what I’m looking for: https://openjournalsystems.com/ojs-file-upload-validation-plugin/
And, yes, I have moved my files directory outside of the code root (using a symbolic link) - safer and much easier to update.
Hi @wklyons,
Can you describe how you’ve used a symbolic link? That shouldn’t be necessary, and may actually re-introduce the risk that moving the files_dir
outside the web root is intended to prevent.
What version of OJS are you using?
Regards,
Alec Smecher
Public Knowledge Project Team
Oops - my mistake (I was thinking of how I do this in other CMS’s). I simply edited the files_dir in the config.inc.php to files_dir = …/my_files.
How about my question regarding the “Allowed Uploads” plugin?
Thanks - WKLyons
I am using 3.1.2.1
WKLyons
Hi @wklyons,
It looks like the plugin gallery is missing the listing for that plugin that’s compatible with OJS 3.1.2-x. It’s available here for download as a .tar.gz
file: Releases · ajnyga/allowedUploads · GitHub
I’ll update its compatibility listing soon, but in the meantime if you have Site Administrator access you can upload the plugin’s .tar.gz
package into the plugins area directly.
Regards,
Alec Smecher
Public Knowledge Project Team
Great - I’ll give that a try (probably tomorrow), and ping you if needed.
Also, please let me know if you have any advice concerning my files directory
Thanks - WKLyons
Hi @wklyons,
The docs/README
(or docs/README.md
depending on your OJS version) document describes how to safely configure your files_dir
.
Regards,
Alec Smecher
Public Knowledge Project Team
Ok. I’ll look through that
I’ve downloaded, untar’ed and copied into the /plugins directory “allowedUploads”, but I can’t see it in the Plugins Gallery (or the Installed Plugins) page. What am I missing?
Hi @wklyons,
No, don’t try to install it manually – log into OJS as site administrator, go to your journal’s Plugins area, and hit the “Upload a New Plugin” link in the top right. You should be able to upload the .tar.gz
file directly to OJS to install it.
You’ll need to clear out any manual installation of that code first.
Regards,
Alec Smecher
Public Knowledge Project Team
Ok, that worked, and I’ve enabled the plugin and set the file types.
Thanks for your help!
WKLyons
This plugins not support for OJS version 3.4
Hi @fairuz,
The Allowed Uploads plugin is a 3rd-party plugin; you might contact the author to see if/when they plan to upgrade it for 3.4.0.
Regards,
Alec Smecher
Public Knowledge Project Team
This topic was automatically closed after 10 days. New replies are no longer allowed.