[EP-tech] Problem with eprints 3.4 file restricted
David R Newman
drn at ecs.soton.ac.uk
Fri Jul 10 11:26:55 BST 2020
Hi Agung Prasetyo W.,
Whilst the multiple versions of the same file are useful to allow local
configuration to override core configuration, it can sometimes cause
confusion like this. The GitHub issue refers to fixing the general
issue so that when you create a new repository it will not suffer from
this bug. Unfortunately, it does not help fix existing repositories.
It was something that could not be accounted for when it was originally
written many years ago, as it could not have been known that how Perl
interacted with Apache would change in Apache 2.4 and therefore create
this security bug.
Regards
David Newman
On 10/07/2020 10:27, Ajunk Pracetio wrote:
> Hi,
>
> After I search on my archives/repo_name/cfg/cfg.d/ directory and
> change the security.pl
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsecurity.pl%2F&data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=vx4jsOu4JaF%2BzZp0uYtjwfM85GxozM%2BXWSORF35Kxo4%3D&reserved=0>
> like you said, the file success can not be downloaded. I'm sorry for
> my miss perception that I read on github it says on defaultcfg/cfg/d/
> directory.
>
> Thank you very much David and Yuri all your help.
>
> Best regards,
> Agung Prasetyo W.
>
> On Fri, Jul 10, 2020 at 3:38 PM David R Newman <drn at ecs.soton.ac.uk
> <mailto:drn at ecs.soton.ac.uk>> wrote:
>
> Hi Agung Prasetyo Wibowo,
>
> It does not look like the reason the file is accessible is due to
> caching and it does not sound like you have coversheets enabled
> which can cause some issues with file access. As I said in a
> previous email you can check that
> EPRINTS_PATH/archives/ARCHIVE_NAME/cfg/cfg.d/security.pl
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fsecurity.pl%2F&data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=vx4jsOu4JaF%2BzZp0uYtjwfM85GxozM%2BXWSORF35Kxo4%3D&reserved=0>
> uses the correct method to lookup an IP address is
>
> my $ip = $doc->repository->remote_ip();
>
> (and not my $ip = $r->connection()->remote_ip();)
>
> Beyond this, I think it is worth tailing you webserver log files
> whilst trying to download this file to see if you are getting any
> errors. On RedHat/CentOS/Fedora this would be something like:
>
> tail -f /var/log/httpd/error_log /var/log/httpd/ssl_error_log
>
> I am not sure if you have HTTPS enabled. If you don't then you
> need not include ssl_error_log in the command line above.
>
> Regards
>
> David Newman
>
>
> On 10/07/2020 09:30, Ajunk Pracetio wrote:
>
>> Hi,
>>
>> Is there any file that I must check to make my file can be
>> restricted?
>>
>> Please need your help.
>>
>> Thank you
>>
>> Best regards.
>> Agung Prasetyo Wibowo
>>
>> On Fri, Jul 10, 2020 at 9:13 AM Ajunk Pracetio via Eprints-tech
>> <eprints-tech at ecs.soton.ac.uk
>> <mailto:eprints-tech at ecs.soton.ac.uk>> wrote:
>>
>> Hi,
>>
>> I already tried on other browser, but the file still can
>> download.
>>
>> On Thu, Jul 9, 2020 at 3:39 PM Yuri via Eprints-tech
>> <eprints-tech at ecs.soton.ac.uk
>> <mailto:eprints-tech at ecs.soton.ac.uk>> wrote:
>>
>> Hi!
>>
>> did you try with another browser? If it works, then If
>> it was the same
>> browser, it is downloading from the cache even if you logout.
>>
>> Il 09/07/20 09:59, Ajunk Pracetio via Eprints-tech ha
>> scritto:
>> > Why is my eprints 3.4 when my document is restricted to
>> user only, can
>> > still be downloaded.
>> >
>> > I have also read
>> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints%2Fissues%2F322&data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=sq28%2BUgCAcn5YEo4T3SbLyZwiH31XVpDmTjwxx55%2B6w%3D&reserved=0
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints%2Fissues%2F322&data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=sq28%2BUgCAcn5YEo4T3SbLyZwiH31XVpDmTjwxx55%2B6w%3D&reserved=0>
>>
>> >
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints%2Fissues%2F322&data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=sq28%2BUgCAcn5YEo4T3SbLyZwiH31XVpDmTjwxx55%2B6w%3D&reserved=0
>> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Feprints%2Feprints%2Fissues%2F322&data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=sq28%2BUgCAcn5YEo4T3SbLyZwiH31XVpDmTjwxx55%2B6w%3D&reserved=0>>
>>
>> > and configured the suggested files, but the files can
>> still be downloaded.
>> >
>> > Please help.
>> >
>> > Regards,
>> > Agung Prasetyo W.
>> >
>> > *** Options:
>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
>> > *** Archive:
>> https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=hIgChtWxiVVXNC34OaEfB%2BsZbIuh%2FEZ81LJ3IZTiSJ0%3D&reserved=0
>> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=hIgChtWxiVVXNC34OaEfB%2BsZbIuh%2FEZ81LJ3IZTiSJ0%3D&reserved=0>
>> > *** EPrints community wiki:
>> https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=AEM7DheR1U0ncHT%2BaMmbF1wV85WtEH1O%2FWrM6R8SK4I%3D&reserved=0
>> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=AEM7DheR1U0ncHT%2BaMmbF1wV85WtEH1O%2FWrM6R8SK4I%3D&reserved=0>
>>
>> *** Options:
>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
>> *** Archive: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=hIgChtWxiVVXNC34OaEfB%2BsZbIuh%2FEZ81LJ3IZTiSJ0%3D&reserved=0
>> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=hIgChtWxiVVXNC34OaEfB%2BsZbIuh%2FEZ81LJ3IZTiSJ0%3D&reserved=0>
>> *** EPrints community wiki: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=AEM7DheR1U0ncHT%2BaMmbF1wV85WtEH1O%2FWrM6R8SK4I%3D&reserved=0
>> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=AEM7DheR1U0ncHT%2BaMmbF1wV85WtEH1O%2FWrM6R8SK4I%3D&reserved=0>
>>
>> *** Options:
>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
>> *** Archive: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=hIgChtWxiVVXNC34OaEfB%2BsZbIuh%2FEZ81LJ3IZTiSJ0%3D&reserved=0
>> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.eprints.org%2Ftech.php%2F&data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=hIgChtWxiVVXNC34OaEfB%2BsZbIuh%2FEZ81LJ3IZTiSJ0%3D&reserved=0>
>> *** EPrints community wiki: https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=AEM7DheR1U0ncHT%2BaMmbF1wV85WtEH1O%2FWrM6R8SK4I%3D&reserved=0
>> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwiki.eprints.org%2F&data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=AEM7DheR1U0ncHT%2BaMmbF1wV85WtEH1O%2FWrM6R8SK4I%3D&reserved=0>
>>
>
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2Femail-signature%3Futm_medium%3Demail%26utm_source%3Dlink%26utm_campaign%3Dsig-email%26utm_content%3Demailclient&data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=QendOCZR%2FgrmCk9j7W9P2DP4Y7FbdR0r0kzQllxZ%2BJc%3D&reserved=0>
> Virus-free. https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2F&data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=zDyn%2FGkNew1ubg5yzHD34fraVGFNrHMteA2Y%2F8BizDo%3D&reserved=0
> <https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.avg.com%2Femail-signature%3Futm_medium%3Demail%26utm_source%3Dlink%26utm_campaign%3Dsig-email%26utm_content%3Demailclient&data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=QendOCZR%2FgrmCk9j7W9P2DP4Y7FbdR0r0kzQllxZ%2BJc%3D&reserved=0>
>
>
> <#m_1932497942636495818_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
--
This email has been checked for viruses by AVG.
https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.avg.com%2F&data=01%7C01%7C%7C693b9fa1afca48f7098d08d824bbc4f7%7C4a5378f929f44d3ebe89669d03ada9d8%7C0&sdata=0oF4o%2FpFC8RzurpilVRCv9E1kfeBm0P9J%2F8dARBvQPU%3D&reserved=0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/eprints-tech/attachments/20200710/897a71e0/attachment-0001.html
More information about the Eprints-tech
mailing list