nginx returns 403 forbidden error on file upload

Question

I have a php website, in codeigniter, which allows users to upload files. Upload works fine for most of files. But for few files nginx throws 403 Forbidden error. like

<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
</body>
</html>
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->
<!-- a padding to disable MSIE and Chrome friendly error page -->

This is one of the sample .rb file that fails to upload

# Sample code from Programing Ruby, page 58
string = <<END_OF_STRING
    The body of the string
    is the input lines up to
    one ending with the same
    text that followed the '<<'
END_OF_STRING

If i remove '<<' from this file, upload works. Where is this filtration happening?

I have seen nginx error logs, nothing in there. I have seen codeigniter logs, nothing there. Infact upload request doesn't reach my Codeigniter controller, so must be blocked before reaching there by nginx?

Here is upload code in Javascript

function upload(file, params) {
    var formData = new FormData();
    formData.append("Filedata", file);
    $.each(params, function(key, value) {
       formData.append(key, value); 
    });

    var xhr = new XMLHttpRequest();
    var action = "/upload/file";

    xhr.upload.onprogress = function(e){
        // show progress with e.loaded, e.total
    };

    xhr.onerror = function(e) { 
        // handle error
    };

    xhr.open("POST", action, true);
    xhr.send(formData);
}

On server side, I have simple code for now.

if( !isset($_FILES['Filedata']) || !file_exists($_FILES['Filedata']['tmp_name']) )
{
    die('File not submitted.');
} else { 
    // Save file code is here
}

Please see this link https://www.1and1.com/cloud-community/learn/web-server/nginx/solve-an-nginx-403-forbidden-error/ — Anand Pandey, Sep 24 '18 at 16:50
@AnandPandey I saw these links but this is not the issue in my case. Like I said most of the files upload fine without any error. This file also works fine if I remove '<<' characters. Seems like some content filtering is happening some where before reaching the php end. — Riz, Sep 24 '18 at 17:01
What does your client side upload code look like? What does your server side upload handling code look like? — miknik, Sep 24 '18 at 17:10
@ThisGuyHasTwoThumbs like I said in question, all the files upload fine. Except the ones who has `'<` character in file contents. So its not a permission issue. — Riz, Sep 28 '18 at 10:06
You need to explain more about your hosting environment. For example, which nginx modules are installed, are there AV tools installed, etc. It sounds like an AV filter is rejecting certain things because they fail a heuristic test. — BA_Webimax, Oct 02 '18 at 14:50
enable nginx debug mode and detailed log and you should find out the problem — bxN5, Oct 03 '18 at 09:52
@demenvil I have tried these already, doesn't apply in my case — Riz, Oct 05 '18 at 11:21
How your javascript call upload() ? What was the type of variable did you use for "file" paramater ? — cakyus, Nov 19 '21 at 13:54

demenvil · Answer 1 · 2018-10-05T12:57:03.527

0

Try in your application/config/config.php Change

$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';

by

$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-><';

But watch out for the security of your application

edited Oct 05 '18 at 12:57

answered Oct 05 '18 at 12:51

demenvil

1,089
1
12
25

nginx returns 403 forbidden error on file upload

1 Answers1