glpi-project
Error sending files in anonymous forms
Code of Conduct
- [x] I agree to follow this project's Code of Conduct
Is there an existing issue for this?
- [x] I have searched the existing issues
Version
GLPI-Beta 11.0.4
Bug description
In my company, the most valuable feature of GLPI is the functionality of opening anonymous calls and the possibility of sending files, such as prints, in these calls. I am testing version 11 of GLPI, with its native forms, but I still cannot send files through the anonymous form.
Relevant log output
glpi.CRITICAL: *** Uncaught PHP Exception Glpi\Exception\SessionExpiredException: "" at Session.php line 1015
Backtrace :
./src/Session.php:1015
./src/Session.php:1130 Session::checkValidSessionId()
./src/Glpi/Http/Firewall.php:149 Session::checkLoginUser()
...trollerListener/FirewallStrategyListener.php:72 Glpi\Http\Firewall->applyStrategy()
...ymfony/event-dispatcher/EventDispatcher.php:260 Glpi\Kernel\Listener\ControllerListener\FirewallStrategyListener->onKernelController()
...ymfony/event-dispatcher/EventDispatcher.php:220 Symfony\Component\EventDispatcher\EventDispatcher::Symfony\Component\EventDispatcher\{closure}()
...symfony/event-dispatcher/EventDispatcher.php:56 Symfony\Component\EventDispatcher\EventDispatcher->callListeners()
./vendor/symfony/http-kernel/HttpKernel.php:169 Symfony\Component\EventDispatcher\EventDispatcher->dispatch()
./vendor/symfony/http-kernel/HttpKernel.php:76 Symfony\Component\HttpKernel\HttpKernel->handleRaw()
./vendor/symfony/http-kernel/Kernel.php:197 Symfony\Component\HttpKernel\HttpKernel->handle()
./public/index.php:56 Symfony\Component\HttpKernel\Kernel->handle()
Page URL
https://atende11.proderj.rj.gov.br/Form/Render/3?token=bkYt4ZNETQXG4JouYjxUwkw5pSbmvwW6nWPByW5m
Steps To reproduce
- Create a form with a field "Files"
- Check the "Allow unauthenticated users"
- Acess the form in another browse or private mode
- Try to send a file and see the msg erro
Your GLPI setup information
GLPI information
GLPI: 11.0.0-dev ( => /var/www/html/glpi) Installation mode: TARBALL Current language: en_US
Server
Operating system: Linux FadinhaWBH 5.14.0-503.33.1.el9_5.x86_64 #1 SMP PREEMPT_DYNAMIC Wed Mar 12 12:08:50 EDT 2025 x86_64PHP: 8.2.28 fpm-fcgi
PHP extensions: Core, date, libxml, openssl, pcre, zlib, filter, hash, json, random, Reflection, SPL, session, standard, cgi-fcgi, bcmath, bz2, calendar, ctype, curl, dom, mbstring, fileinfo, ftp, gd, gettext, iconv, intl, ldap, exif, mysqlnd, PDO, Phar, SimpleXML, sockets, sodium, sqlite3, tokenizer, xml, xmlwriter, xsl, mysqli, pdo_mysql, pdo_sqlite, xmlreader, zip, Zend OPcache
Setup: max_execution_time="30" memory_limit="128M" post_max_size="8M" safe_mode="" session.save_handler="files" upload_max_filesize="2M" disable_functions=""
Web server: Apache/2.4.62 (Red Hat Enterprise Linux) OpenSSL/3.2.2 ()
User agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36
Database:
Server Software: MySQL Community Server - GPL
Server Version: 8.0.33
Server SQL Mode: STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION
Parameters: [email protected]/glpialpha
Host info: 10.11.63.137 via TCP/IP
Requirements: PHP version (8.2.28) is supported. OS and PHP are relying on 64 bits integers. Sessions configuration is OK. Allocated memory is sufficient. Following extensions are installed: dom, fileinfo, filter, libxml, json, simplexml, xmlreader, xmlwriter. mysqli extension is installed. curl extension is installed. gd extension is installed. intl extension is installed. mbstring extension is installed. zlib extension is installed. bcmath extension is installed. The constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present. openssl extension is installed. Database engine version (8.0.33) is supported. No files from previous GLPI version detected. The log file has been created successfully. Write access to /var/www/html/glpi/files/_cache has been validated. Write access to /var/www/html/glpi/files/_cron has been validated. Write access to /var/www/html/glpi/files has been validated. Write access to /var/www/html/glpi/files/_graphs has been validated. Write access to /var/www/html/glpi/files/_lock has been validated. Write access to /var/www/html/glpi/files/_pictures has been validated. Write access to /var/www/html/glpi/files/_plugins has been validated. Write access to /var/www/html/glpi/files/_rss has been validated. Write access to /var/www/html/glpi/files/_sessions has been validated. Write access to /var/www/html/glpi/files/_tmp has been validated. Write access to /var/www/html/glpi/files/_uploads has been validated. For security reasons, SELinux mode should be Enforcing.
Sessions configuration is secured. exif extension is installed. ldap extension is installed. openssl extension is installed. Following extensions are installed: bz2, Phar, zip. Zend OPcache extension is installed. Following extensions are installed: ctype, iconv, sodium. Write access to /var/www/html/glpi/marketplace has been validated. Access to timezone database (mysql) is not allowed.
GLPI constants
GLPI_ROOT: "/var/www/html/glpi" GLPI_VERSION: "11.0.0-dev" GLPI_SCHEMA_VERSION: "11.0.0-dev@3e09895a6dd676834c637533b49623b5b20aaac2" GLPI_FILES_VERSION: "11.0.0-dev-7111962e" GLPI_MIN_PHP: "8.2" GLPI_MAX_PHP: "8.4" GLPI_YEAR: "2025" GLPI_I18N_DIR: "/var/www/html/glpi/locales" GLPI_ENVIRONMENT_TYPE: "production" GLPI_CONFIG_DIR: "/var/www/html/glpi/config" GLPI_VAR_DIR: "/var/www/html/glpi/files" GLPI_MARKETPLACE_DIR: "/var/www/html/glpi/marketplace" GLPI_ALLOW_IFRAME_IN_RICH_TEXT: false GLPI_SERVERSIDE_URL_ALLOWLIST: ["#^http://[^@:]+(:80)?(/.)?$#","#^https://[^@:]+(:443)?(/.)?$#","#^feed://[^@:]+(/.)?$#"] GLPI_DISALLOWED_UPLOADS_PATTERN: "/\.(php\d|phar)$/i" GLPI_TELEMETRY_URI: "https://telemetry.glpi-project.org" GLPI_INSTALL_MODE: "TARBALL" GLPI_NETWORK_MAIL: "[email protected]" GLPI_NETWORK_SERVICES: "https://services.glpi-network.com" GLPI_MARKETPLACE_ENABLE: 3 GLPI_MARKETPLACE_PRERELEASES: true GLPI_MARKETPLACE_ALLOW_OVERRIDE: true GLPI_MARKETPLACE_MANUAL_DOWNLOADS: true GLPI_USER_AGENT_EXTRA_COMMENTS: "" GLPI_DOCUMENTATION_ROOT_URL: "https://links.glpi-project.org" GLPI_DISABLE_ONLY_FULL_GROUP_BY_SQL_MODE: "1" GLPI_LOG_LVL: "warning" GLPI_SKIP_UPDATES: false GLPI_STRICT_ENV: false GLPI_AJAX_DASHBOARD: "1" GLPI_CALDAV_IMPORT_STATE: 0 GLPI_CENTRAL_WARNINGS: "1" GLPI_SYSTEM_CRON: false GLPI_TEXT_MAXSIZE: "4000" GLPI_WEBHOOK_ALLOW_RESPONSE_SAVING: "0" GLPI_DOC_DIR: "/var/www/html/glpi/files" GLPI_CACHE_DIR: "/var/www/html/glpi/files/_cache" GLPI_CRON_DIR: "/var/www/html/glpi/files/_cron" GLPI_GRAPH_DIR: "/var/www/html/glpi/files/_graphs" GLPI_LOCAL_I18N_DIR: "/var/www/html/glpi/files/_locales" GLPI_LOCK_DIR: "/var/www/html/glpi/files/_lock" GLPI_LOG_DIR: "/var/www/html/glpi/files/_log" GLPI_PICTURE_DIR: "/var/www/html/glpi/files/_pictures" GLPI_PLUGIN_DOC_DIR: "/var/www/html/glpi/files/_plugins" GLPI_RSS_DIR: "/var/www/html/glpi/files/_rss" GLPI_SESSION_DIR: "/var/www/html/glpi/files/_sessions" GLPI_TMP_DIR: "/var/www/html/glpi/files/_tmp" GLPI_UPLOAD_DIR: "/var/www/html/glpi/files/_uploads" GLPI_INVENTORY_DIR: "/var/www/html/glpi/files/_inventories" GLPI_THEMES_DIR: "/var/www/html/glpi/files/_themes" GLPI_PLUGINS_DIRECTORIES: ["/var/www/html/glpi/marketplace","/var/www/html/glpi/plugins"] GLPI_NETWORK_REGISTRATION_API_URL: "https://services.glpi-network.com/api/registration/" GLPI_MARKETPLACE_PLUGINS_API_URI: "https://services.glpi-network.com/api/marketplace/"
SQL Replicas
Not active
Notifications
Way of sending emails: SMTP(smtp://relay.proderj.rj.gov.br:25?verify_peer=0)
Name: 'Atende11'
Active: Yes
Server: '{10.11.28.5:993/imap/ssl/novalidate-cert/notls}INBOX'
Login: '[email protected]'
Password: YesAnything else?
No response
@cconard96 could say if this situation about sending files through anonymous forms is a bug or it's intent that anonymous do not send files to GLPI?
@cconard96 could say if this situation about sending files through anonymous forms is a bug or it's intent that anonymous do not send files to GLPI?
I'm not able to say one way or the other. At the very least, if anonymous forms aren't allowed to have files sent, then they shouldn't show that option at all.
Using the latest version from nightly and a public form, and the file upload keeps getting error. Just notice that is not a upload problem itself, cause paste an image in another fild like "long answer" works as intended. But when trying to upload the same file through the "Files" fild, the errors occurs.
Are you sure you are able to do this on GLPI 10, with the formcreator plugin ?
If I recall correctly, this possibility was removed in GLPI 10.0.5 due to security concerns, see https://github.com/glpi-project/glpi/issues/16363.
In this case I guess we should disable the "File" question type for unauthenticated forms.
We use GLPI 10.0.3, didn't upgraded further yet 'cause the sending of files for anonymous users is one of the most crusial feature for us. Really hoped that GLPI 11 would bring somekind of work around to allow that sending of files, even if just some extensions, like PDF, was permitted.
This won't be changed, see https://github.com/glpi-project/glpi/issues/16363#issuecomment-1891592073
In our case, we have GLPI 10.0.5 with plugin Formcreator 2.13.4. We also assumed that GLPI 11 would bring some solution to this issue, but it hasn't. At least not for now. It is so important to us that we will remain on those versions.
@cedric-anne I guess we could add a config value (or a env flag?) to manually allow unauthenticated uploads, with a big warning message to remind administrators that this option should NEVER be used on a server that is available on the internet?
@cedric-anne I guess we could add a config value (or a env flag?) to manually allow unauthenticated uploads, with a big warning message to remind administrators that this option should NEVER be used on a server that is available on the internet?
Yes, like we have a GLPI_ALLOW_IFRAME_IN_RICH_TEXT security env variable that can be redefined.
So you prefer an env var? The advantage of the config option is that we can put a big warning next to it.
If we go with an env var, maybe a warning message on the central home page when we detect that the var is used then?
OMG, thank you so much, guys! @AdrienClairembault if this new config allowed to select just some extensions to be send In anonymous forms, even better
Español:
Mientras mas Usuarios administradores de GLPI seamos los que expresamos lo importante que es para nosotros y la herramienta contar con la posibilidad de adjuntar imágenes, o pegarlas en el texto, de incidencias generadas desde formularios publicos, creo será mas factible que lo consideren seriamente y regresar, de alguna manera mas limitada y segura, a esa funcionalidad.
Tengo una instalación de prueba de GLPI 11 en la ultima versión (11.0.0-rc1). Está muy buena pero muy lejos de ser estable. Por lo que sería muy alentador que incluyeran revisar esta posibilidad en el mediano o largo plazo.
English (poor):
The more GLPI administrator users we are who express how important it is for us and the tool to have the possibility to attach images, or paste them in the text, from incidents generated from public forms, I believe it will be more feasible for them to seriously consider it and return, in some way more limited and secure, to that functionality.
I have a test installation of GLPI 11 in the latest version (11.0.0-rc1). It is very good but far from being stable. So it would be very encouraging if they could consider reviewing this possibility in the medium or long term.