[10:36:56]
<massimiliano> one question.
witch is the right token? the static one or the more random one?
[10:42:02]
<Maranda> There's no right or wrong Metronome computes the token basing on the secret and the iq request's file size and mime type. The token is then recomputed by the script using file size, mime type and secret and matched it against the one sent in the token variable
[10:43:32]
<Maranda> nginx FastCGI module is mangling and/or messing the headers and not forwarding 'em all I think
[10:51:09]
<massimiliano> i need to pin out witch variable it is that gets wrong
[10:54:37]
<massimiliano> i understand it matches local digest = HMAC(secret, message, true); with $calculated_token = hash_hmac('sha256', "$upload_file_name\0$upload_file_size\0$upload_file_type", $CONFIG_SECRET);
[10:54:51]
<massimiliano> *it need to match
[10:58:06]
<massimiliano> if i edit if(hash_equals($calculated_token, $upload_token) !== TRUE) { to === TRUE
Then i can upload
[10:58:43]
<massimiliano> just saying
[10:58:53]
<massimiliano> not the solution of course
[11:08:09]
<Maranda> massimiliano: what did I say about not messing..? 🤦♂️ Of course it works that way you reversed the match. Now whenever the token doesn't match you'll be able to upload but that also allows indiscriminate uploads.
[11:08:53]
<massimiliano> i sai sjust saying
[11:09:01]
<massimiliano> didn't change stuff
[11:09:14]
<massimiliano> :-)
[11:09:34]
<massimiliano> no worries
[11:14:16]
<massimiliano> Maranda, i found that $upload_file_name is empty added it in error_log to pin out
[11:15:16]
<massimiliano> so it goes wrong here *substr($_SERVER['PHP_SELF'], strlen($_SERVER['SCRIPT_NAME'])+1);*
[11:35:32]
<massimiliano> Maranda, i get /index.php for both $_SERVER['PHP_SELF'] and $_SERVER['SCRIPT_NAME'] as result what is the aspected responce?
[11:40:44]
<massimiliano> stuppid question
[11:40:53]
<massimiliano> the file name
[11:40:59]
<massimiliano> of the uplaod