EPrints Technical Mailing List Archive

See the EPrints wiki for instructions on how to join this mailing list and related information.

Message: #08242


< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

Re: [EP-tech] Problem with eprints 3.4 file restricted

  • To: Ajunk Pracetio <prazetyo@gmail.com>
  • Subject: Re: [EP-tech] Problem with eprints 3.4 file restricted
  • From: David R Newman <drn@ecs.soton.ac.uk>
  • Date: Fri, 10 Jul 2020 11:26:55 +0100

Hi Agung Prasetyo W.,

Whilst the multiple versions of the same file are useful to allow local configuration to override core configuration, it can sometimes cause confusion like this.  The GitHub issue refers to fixing the general issue so that when you create a new repository it will not suffer from this bug.  Unfortunately, it does not help fix existing repositories.  It was something that could not be accounted for when it was originally written many years ago, as it could not have been known that how Perl interacted with Apache would change in Apache 2.4 and therefore create this security bug.

Regards

David Newman

On 10/07/2020 10:27, Ajunk Pracetio wrote:
Hi,

After I search on my archives/repo_name/cfg/cfg.d/ directory and change the security.pl like you said, the file success can not be downloaded. I'm sorry for my miss perception that I read on github it says on defaultcfg/cfg/d/ directory.

Thank you very much David and Yuri all your help.

Best regards,
Agung Prasetyo W.

On Fri, Jul 10, 2020 at 3:38 PM David R Newman <drn@ecs.soton.ac.uk> wrote:

Hi Agung Prasetyo Wibowo,

It does not look like the reason the file is accessible is due to caching and it does not sound like you have coversheets enabled which can cause some issues with file access.  As I said in a previous email you can check that EPRINTS_PATH/archives/ARCHIVE_NAME/cfg/cfg.d/security.pl uses the correct method to lookup an IP address is

my $ip = $doc->repository->remote_ip();

(and not my $ip = $r->connection()->remote_ip();)

Beyond this, I think it is worth tailing you webserver log files whilst trying to download this file to see if you are getting any errors.  On RedHat/CentOS/Fedora this would be something like:

tail -f /var/log/httpd/error_log /var/log/httpd/ssl_error_log

I am not sure if you have HTTPS enabled.  If you don't then you need not include ssl_error_log in the command line above.

Regards

David Newman


On 10/07/2020 09:30, Ajunk Pracetio wrote:

Hi,

Is there any file that I must check to make my file can be restricted?

Please need your help.

Thank you

Best regards.
Agung Prasetyo Wibowo

On Fri, Jul 10, 2020 at 9:13 AM Ajunk Pracetio via Eprints-tech <eprints-tech@ecs.soton.ac.uk> wrote:
Hi,

I already tried on other browser, but the file still can download.

On Thu, Jul 9, 2020 at 3:39 PM Yuri via Eprints-tech <eprints-tech@ecs.soton.ac.uk> wrote:
Hi!

  did you try with another browser? If it works, then If it was the same
browser, it is downloading from the cache even if you logout.

Il 09/07/20 09:59, Ajunk Pracetio via Eprints-tech ha scritto:
> Why is my eprints 3.4 when my document is restricted to user only, can
> still be downloaded.
>
> I have also read https://eur03.safelinks.protection.outlook.com/?url="">
> <
https://eur03.safelinks.protection.outlook.com/?url="">>
> and configured the suggested files, but the files can still be downloaded.
>
> Please help.
>
> Regards,
> Agung Prasetyo W.
>
> *** Options:
http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
> *** Archive: https://eur03.safelinks.protection.outlook.com/?url="">
> *** EPrints community wiki:
https://eur03.safelinks.protection.outlook.com/?url="">

*** Options:
http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
*** Archive: http://www.eprints.org/tech.php/
*** EPrints community wiki: http://wiki.eprints.org/
*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
*** Archive: http://www.eprints.org/tech.php/
*** EPrints community wiki: http://wiki.eprints.org/

Virus-free. www.avg.com