Supporting each other

Community forums

Welcome, Guest
Username: Password: Remember me
Questions on getting Xerte Toolkits installed on your server and questions about authentication and user logins.

TOPIC:

New installation - unable to edit/preview project 11 months 1 week ago #8809

  • jayaich
  • jayaich's Avatar Topic Author
  • Offline
  • Premium Member
  • Premium Member
  • Posts: 82
  • Thank you received: 5
Yes, I got xenith.js to display the 'url' it was using in the ajax call. It showed: website_code/php/templates/get_template_xml.php?file=USER-FILES/762-jhorne-Nottingham/preview.xml&time=1702384192962

The file is valid XML and contains the 'learningObject' being looked for.

Please Log in or Create an account to join the conversation.

New installation - unable to edit/preview project 11 months 1 week ago #8810

  • tom
  • tom's Avatar
  • Away
  • Administrator
  • Administrator
  • Posts: 1283
  • Thank you received: 323
What has happened to me before is that the XML contains an invalid character (for example soft-hyphen).
You can use a tool like xmllint to check for that.

Please Log in or Create an account to join the conversation.

New installation - unable to edit/preview project 11 months 1 week ago #8811

  • jayaich
  • jayaich's Avatar Topic Author
  • Offline
  • Premium Member
  • Premium Member
  • Posts: 82
  • Thank you received: 5
Thanks for that. Yes I tried xmllint and it reported no problems with the file.

Without looking further at the ajax call I am wondering if the URL is incorrect in that it doesn't lead with a '/' character. That would probably give a not found error.

Please Log in or Create an account to join the conversation.

New installation - unable to edit/preview project 11 months 1 week ago #8812

  • jayaich
  • jayaich's Avatar Topic Author
  • Offline
  • Premium Member
  • Premium Member
  • Posts: 82
  • Thank you received: 5
Okay, I have found the problem.

xenith.js calls 'get_template_xml.php' with the USER-FILES pathname. No problem with that.
What I hadn't noticed was the very last line of 'get_template_xml.php' which also returns a 'Not found!' message. It is this that is actually being returned.
It is returned because, as mentioned our USER-FILES are held on shared storage - that is USER-FILES is a symlink off to another directory. But 'get_template_xml.php' compares that directory name against the path it is given in xenith.js, and they aren't the same.

The browser log shows (after modifying get_template_xml.php to print the pathnames):

Uncaught Error: Invalid XML: Not found! Realpath is: /mnt/share-1/xerte/USER-FILES/762-jhorne-Nottingham/preview.xml Full unsafe path is: /var/www/html/xerte-3.12/USER-FILES/762-jhorne-Nottingham/preview.xml

I suspect that if I copied my own USER-FILES onto the server local disk rather than using the share, then it would work (no share/symlink involved)

Please Log in or Create an account to join the conversation.

New installation - unable to edit/preview project 11 months 1 week ago #8813

  • tom
  • tom's Avatar
  • Away
  • Administrator
  • Administrator
  • Posts: 1283
  • Thank you received: 323
Yes, Xerte does several checks to prevent people from doing path traversal (using ../../ in paths etc) to prevent users from being able to download things like database.php or /etc/passwd

Please Log in or Create an account to join the conversation.

New installation - unable to edit/preview project 11 months 5 days ago #8816

  • jayaich
  • jayaich's Avatar Topic Author
  • Offline
  • Premium Member
  • Premium Member
  • Posts: 82
  • Thank you received: 5
I have patched the 'get_template_xml.php' file to cater for our case. Basically it checks the given pathname to see if '..' is present in it. If it is, then an error is returned, if is not present then the file contents are returned. I can now see my projects, and preview or edit them.

I have attached a diff patch file.
Attachments:

Please Log in or Create an account to join the conversation.

Time to create page: 0.055 seconds
Copyright © 2024 The Xerte Project.
Xerte logo Apereo logo OSI Logo

Search