GWAN: upload file bad request

Question

I try to do a simple upload form.

I'm using jQuery upload (https://github.com/blueimp/jQuery-File-Upload/archive/master.zip)

with a simple form (http://pastebin.com/wCUB2EkR) (data-url="server/php/?index.php")

I put index.html and .js into my "www" dir and server/php/[index.php,UploadHandler.php] into the csp folder. I add "exit(200);" to the end of "server/php/index.php" to don't have an empty response

I change the "entity_size" to don't have the 413 error (Request Entity Too Large)

When I try to upload a file I have several issue:

In the G-WAN console I have this output:

sh: 2: Content-Disposition:: not found sh: 3: Content-Type:: not found : not found

In the access.log I have this "[Mon Feb 25 10:29:53 2013 GMT] xxx "POST /server/php/?index.php" 127 828 "http://yy:8080/index.html"

I'm using the latest version (4.2.19)

[UPDATE] Security issue?

I just notice a horrible behavior (link with result of my GWAN ouput...)

Instead of the "server/php/?index.php" I use a simple Perl script which get the STDIN and print to a file (http://pastebin.com/SnXkjFya)

To test, I try to upload a .sh script with sample command and notice in the GWAN console that the server actualy try to execute all commands insite my .sh file...

I try with an other file (named test.txt) which contains "touch testgwan", upload within a form upload with POST.

The file "testgwan" was create at the root of GWAN dir...

I'm doing something wrong, for sure, but GWAN should not execute commands with a "post"...

---

UPDATE:

As we could not duplicate this issue, Geoffrey emailed us his tests on the following platforms (he is using an AMD Phenom(tm) II X4 955 Processor and an unamed hypervisor):

Ubuntu 12.04 32bits, G-WAN 4.2.19: problem
Ubuntu 12.04 32bits, G-WAN 4.2.27: OK

Ubuntu 10.04 32Bits, G-WAN 4.2.19: OK
Ubuntu 10.04 64Bits, G-WAN 4.2.19: OK

Ubuntu 10.04 32Bits, G-WAN 4.2.27: OK
Ubuntu 10.04 64Bits, G-WAN 4.2.27: OK

So, for Geoffrey, the latest release of G-WAN has resolved his issue, and the previous version of G-WAN has had this problem with Ubuntu 12.04 32bits only.

Answer 1

If you look at the entity.c example provided with G-WAN (the one we know the source code of), then you will see that there is no possibility for G-WAN to "execute" a POST entity.

When explicitely authorized to do so, G-WAN will upload the POST entity up the the limit you have defined - and that's the only thing it does.

Now, since you are not providing the source code of your PHP and Python scripts (both of which being blindly executed by G-WAN), there is little chance for anybody to tell you what you are doing wrong.

Given your level of English, you will probably gain from contacting the G-WAN support team, who speaks French, like you.

Answer 2

As G-WAN is not open source (and I understand why and agree with your view), I can't tell you why G-WAN is acting like that.

I'm providing the source code, even "PHP" files.

These files are in the "master.zip" in the jQuery upload file, my first link.

Forget php, perl or python content script. I have the exact same behavior with a "hello world" perl script. (print "helloworld";)

There is a strange behavior with GWAN and I guess a security issue (as GWAN execute all command in the input file).

My form sends the input file to a "helloworld" perl script BUT GWAN execute all commands inside the file (like GWAN do a "sh test.txt").

My issue will may interest others people trying GWAN, so, I will continue to answer here, even if my english is not perfect.

ps: Don't belittle a potential customer. Your reputation is not that good. In french we will say "Donner le bâton pour se faire battre".