[index] [prev] [next] [options] [help]

eprints_tech messages

Re: [EP-tech] Problem with eprints 3.4 file restricted

From: David R Newman via Eprints-tech <eprints-tech AT ecs.soton.ac.uk>
Date: Fri, 10 Jul 2020 11:26:55 +0100


Threading: Re: [EP-tech] Problem with eprints 3.4 file restricted from eprints-tech AT ecs.soton.ac.uk
      • This Message


Hi Agung Prasetyo W.,

Whilst the multiple versions of the same file are useful to allow local 
configuration to override core configuration, it can sometimes cause 
confusion like this.  The GitHub issue refers to fixing the general 
issue so that when you create a new repository it will not suffer from 
this bug.  Unfortunately, it does not help fix existing repositories.  
It was something that could not be accounted for when it was originally 
written many years ago, as it could not have been known that how Perl 
interacted with Apache would change in Apache 2.4 and therefore create 
this security bug.

Regards

David Newman

On 10/07/2020 10:27, Ajunk Pracetio wrote:
> Hi,
>
> After I search on my archives/repo_name/cfg/cfg.d/ directory and 
> change the security.pl 
> 
<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsecurity.pl%2F&amp;data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=vx4jsOu4JaF%2BzZp0uYtjwfM85GxozM%2BXWSORF35Kxo4%3D&amp;reserved=0> 
> like you said, the file success can not be downloaded. I'm sorry for 
> my miss perception that I read on github it says on defaultcfg/cfg/d/ 
> directory.
>
> Thank you very much David and Yuri all your help.
>
> Best regards,
> Agung Prasetyo W.
>
> On Fri, Jul 10, 2020 at 3:38 PM David R Newman <drn AT ecs.soton.ac.uk 
> <mailto:drn AT ecs.soton.ac.uk>> wrote:
>
>     Hi Agung Prasetyo Wibowo,
>
>     It does not look like the reason the file is accessible is due to
>     caching and it does not sound like you have coversheets enabled
>     which can cause some issues with file access.  As I said in a
>     previous email you can check that
>     EPRINTS_PATH/archives/ARCHIVE_NAME/cfg/cfg.d/security.pl
>     
<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsecurity.pl%2F&amp;data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=vx4jsOu4JaF%2BzZp0uYtjwfM85GxozM%2BXWSORF35Kxo4%3D&amp;reserved=0>
>     uses the correct method to lookup an IP address is
>
>     my $ip = $doc->repository->remote_ip();
>
>     (and not my $ip = $r->connection()->remote_ip();)
>
>     Beyond this, I think it is worth tailing you webserver log files
>     whilst trying to download this file to see if you are getting any
>     errors.  On RedHat/CentOS/Fedora this would be something like:
>
>     tail -f /var/log/httpd/error_log /var/log/httpd/ssl_error_log
>
>     I am not sure if you have HTTPS enabled.  If you don't then you
>     need not include ssl_error_log in the command line above.
>
>     Regards
>
>     David Newman
>
>
>     On 10/07/2020 09:30, Ajunk Pracetio wrote:
>
>>     Hi,
>>
>>     Is there any file that I must check to make my file can be
>>     restricted?
>>
>>     Please need your help.
>>
>>     Thank you
>>
>>     Best regards.
>>     Agung Prasetyo Wibowo
>>
>>     On Fri, Jul 10, 2020 at 9:13 AM Ajunk Pracetio via Eprints-tech
>>     <eprints-tech AT ecs.soton.ac.uk
>>     <mailto:eprints-tech AT ecs.soton.ac.uk>> wrote:
>>
>>         Hi,
>>
>>         I already tried on other browser, but the file still can
>>         download.
>>
>>         On Thu, Jul 9, 2020 at 3:39 PM Yuri via Eprints-tech
>>         <eprints-tech AT ecs.soton.ac.uk
>>         <mailto:eprints-tech AT ecs.soton.ac.uk>> wrote:
>>
>>             Hi!
>>
>>               did you try with another browser? If it works, then If
>>             it was the same
>>             browser, it is downloading from the cache even if you 
logout.
>>
>>             Il 09/07/20 09:59, Ajunk Pracetio via Eprints-tech ha
>>             scritto:
>>             > Why is my eprints 3.4 when my document is restricted 
to
>>             user only, can
>>             > still be downloaded.
>>             >
>>             > I have also read
>>             
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints%2Fissues%2F322&amp;data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=sq28%2BUgCAcn5YEo4T3SbLyZwiH31XVpDmTjwxx55%2B6w%3D&amp;reserved=0
>>             
<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints%2Fissues%2F322&amp;data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=sq28%2BUgCAcn5YEo4T3SbLyZwiH31XVpDmTjwxx55%2B6w%3D&amp;reserved=0>
>>
>>             >
>>             
<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints%2Fissues%2F322&amp;data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=sq28%2BUgCAcn5YEo4T3SbLyZwiH31XVpDmTjwxx55%2B6w%3D&amp;reserved=0
>>             
<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints%2Fissues%2F322&amp;data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=sq28%2BUgCAcn5YEo4T3SbLyZwiH31XVpDmTjwxx55%2B6w%3D&amp;reserved=0>>
>>
>>             > and configured the suggested files, but the files can
>>             still be downloaded.
>>             >
>>             > Please help.
>>             >
>>             > Regards,
>>             > Agung Prasetyo W.
>>             >
>>             > *** Options:
>>             
http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
>>             > *** Archive:
>>             
https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&amp;data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=hIgChtWxiVVXNC34OaEfB%2BsZbIuh%2FEZ81LJ3IZTiSJ0%3D&amp;reserved=0
>>             
<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&amp;data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=hIgChtWxiVVXNC34OaEfB%2BsZbIuh%2FEZ81LJ3IZTiSJ0%3D&amp;reserved=0>
>>             > *** EPrints community wiki:
>>             
https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&amp;data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=AEM7DheR1U0ncHT%2BaMmbF1wV85WtEH1O%2FWrM6R8SK4I%3D&amp;reserved=0
>>             
<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&amp;data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=AEM7DheR1U0ncHT%2BaMmbF1wV85WtEH1O%2FWrM6R8SK4I%3D&amp;reserved=0>
>>
>>             *** Options:
>>             
http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
>>             *** Archive: 
https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&amp;data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=hIgChtWxiVVXNC34OaEfB%2BsZbIuh%2FEZ81LJ3IZTiSJ0%3D&amp;reserved=0
>>             
<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&amp;data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=hIgChtWxiVVXNC34OaEfB%2BsZbIuh%2FEZ81LJ3IZTiSJ0%3D&amp;reserved=0>
>>             *** EPrints community wiki: 
https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&amp;data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=AEM7DheR1U0ncHT%2BaMmbF1wV85WtEH1O%2FWrM6R8SK4I%3D&amp;reserved=0
>>             
<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&amp;data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=AEM7DheR1U0ncHT%2BaMmbF1wV85WtEH1O%2FWrM6R8SK4I%3D&amp;reserved=0>
>>
>>         *** Options:
>>         http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
>>         *** Archive: 
https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&amp;data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=hIgChtWxiVVXNC34OaEfB%2BsZbIuh%2FEZ81LJ3IZTiSJ0%3D&amp;reserved=0
>>         
<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&amp;data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=hIgChtWxiVVXNC34OaEfB%2BsZbIuh%2FEZ81LJ3IZTiSJ0%3D&amp;reserved=0>
>>         *** EPrints community wiki: 
https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&amp;data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=AEM7DheR1U0ncHT%2BaMmbF1wV85WtEH1O%2FWrM6R8SK4I%3D&amp;reserved=0
>>         
<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&amp;data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=AEM7DheR1U0ncHT%2BaMmbF1wV85WtEH1O%2FWrM6R8SK4I%3D&amp;reserved=0>
>>
>
>     
<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2Femail-signature%3Futm_medium%3Demail%26utm_source%3Dlink%26utm_campaign%3Dsig-email%26utm_content%3Demailclient&amp;data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=QendOCZR%2FgrmCk9j7W9P2DP4Y7FbdR0r0kzQllxZ%2BJc%3D&amp;reserved=0>
>     	Virus-free. 
https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2F&amp;data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=zDyn%2FGkNew1ubg5yzHD34fraVGFNrHMteA2Y%2F8BizDo%3D&amp;reserved=0
>     
<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2Femail-signature%3Futm_medium%3Demail%26utm_source%3Dlink%26utm_campaign%3Dsig-email%26utm_content%3Demailclient&amp;data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=QendOCZR%2FgrmCk9j7W9P2DP4Y7FbdR0r0kzQllxZ%2BJc%3D&amp;reserved=0>
>
>
>     <#m_1932497942636495818_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>


-- 
This email has been checked for viruses by AVG.
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.avg.com%2F&amp;data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&amp;sdata=0oF4o%2FpFC8RzurpilVRCv9E1kfeBm0P9J%2F8dARBvQPU%3D&amp;reserved=0

ATTACHMENT: message.html!

*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech *** Archive: http://www.eprints.org/tech.php/ *** EPrints community wiki: http://wiki.eprints.org/

[index] [prev] [next] [options] [help]