TOPIC:

Hello,

I'm just trying to see how the antivirus check on Xerte 3.0 works.
I created a project, which gave me a new window, clicked on the '+' (insert) button, and then selected 'Media'->'Graphics and Sound'->'At end'. To the right of the 'Image' text box is an icon to 'Import Media'. Click on this, another window pops up, and right-click on the larger window pane. This shows 'Upload files'. Clicking on that I then get a 'Select files to upload' button (as well as the drag and drop area).

By using the button I can upload files from my local PC. However, I'm not sure that there's any antivirus or filename extension checking going on. I uploaded a binary '.exe' file with no problem, also a text file with the eicar test virus in it (although it may well be that text files are not checked). I modified the 'clamscan' command options to include the '--leave-temps' option to see if the files being checked were left behind. Nothing was.

So I'm a bit lost as to whether the antivirus check is being run or not.


Thanks,

John.

I made some progress with this today. The code needs a bit of jiggling (!) but I did get an uploaded file passed through the filters. Two things I noticed:
1) If the file is to be rejected then the error message gets lost. Instead a small popup appears saying something like 'Invalid JSON response'.
2) Running clamscan is quite slow on our server. It takes around 10-11 seconds to scan a 60K file. (The delay is because it loads in all the virus signatures.) Running ClamAV as a background daemon process and the scan time drops to a second or less. I've left it using clamscan because it is a good indicator that the file is being scanned.

I'll look at all this some more on Monday.


John.

Well I got this working. The antivirus check is one of 3 checks - antivirus, file extension and file MIME type. These are now called whenever a file is uploaded or imported. For zip files the check is done when the zip files are extracted. Our main intention was to prevent anything nasty getting onto the server in the first place. So if someone uploads a text file as 'abc.txt', and then renames it to 'abc.exe' that is allowed since it is still a text file - hence saves and renaming is not checked. (Actually saving a file does do an XML validity check).

Initially we used the ClamAV 'clamscan' command for checking, and this worked fine but was a bit slow. It depends on how often your users are going to upload things to the server. In our case it could be quite often so we decided to use the 'clamdscan' command instead (which talks to a background 'clamd' process). The problem though is that when PHP/Apache uploads a file it sets the mode so that only PHP/Apache can read it. The 'clamd' process runs under its own userid, so the antivirus check always failed with 'lstat' or permissions errors. Inserting a 'chmod 644' in the code unfortunately made no difference.

I eventually got 'clamdscan' to work by setting the PHP upload directory to the Xerte 'import' directory. (Since it was to be used for importing files, I saw no reason why it couldn't be used for uploaded ones too.) The directory group permissions were changed to that of the clamd user (the owner is still apache), and the 'chmod 644' reinstated in the code (just before the file is virus checked). The directory permissions were set to 750 (so no-one other than the apache or clamd user could see in it). This worked fine, and uploads and imports now take less than a second.



John.

John Horne wrote: The problem though is that when PHP/Apache uploads a file it sets the mode so that only PHP/Apache can read it. The 'clamd' process runs under its own userid, so the antivirus check always failed with 'lstat' or permissions errors.

It turns out that under CentOS 7 Apache uses its own private tmp directory (see systemd PrivateTmp option). As such PHP can see the file, but no other process (such as 'clamd') can. So changing the upload directory is the only way that this would work.


John.