simple upload need's flash, didn't work with .htaccess protection and looks distorted with opera 9

cakruege

Joined: 2009-08-31
Posts: 6
Posted: Mon, 2009-08-31 23:19

Hi,

the simple(!) uploader needs flash, which is very bad.
A simple uploader shouldn't use this, a fancy one could use flash.
Not every user has flash.
Please include a really SIMPLE one.

If the whole gallery directory is protected with .htaccess like this

AuthName "Restricted Area"
AuthType Basic
AuthUserFile /home/user/gallery3/.htpasswd
AuthGroupFile /dev/null
require valid-user

Than upload didn't work at all!
You can upload a file and than a window from internet explorer popups up and asks again for the .htaccess-password but nothing happens after.

The upload-windows looks broken in opera 9.

greetings
Carsten
 
floridave
floridave's picture

Joined: 2003-12-22
Posts: 25966
Posted: Tue, 2009-09-01 05:48

Using .htaccess and .htpasswd is a very small minority of users. We are aiming for a great product with the 80/20 rule. Also see a discusion about flash:
http://gallery.menalto.com/gallery_3.0_alpha_2_released#comment-301585

Dave

_____________________________________________
Blog & G2 || floridave - Gallery Team
 
cakruege

Joined: 2009-08-31
Posts: 6
Posted: Tue, 2009-09-01 11:46

a) .htpasswd is the only way to get complete security about bugs in gallery.
It's very stupid to break this.
b) don't trust adobes numbers on an adobe product

simple uploader like in Gallery2 (which accepts .zip-archive for multiple files) would be a perfect fallback.
 
floridave
floridave's picture

Joined: 2003-12-22
Posts: 25966
Posted: Thu, 2009-09-03 01:31
Quote:
htpasswd is the only way to get complete security about bugs in gallery.

The Gallery project treats security issues very seriously. If you find a security flaw, please do not file a public bug or discuss it in a public forum. Please escalate it directly to our security team by sending an email to security AT gallery.menalto.com. Please provide as much information as you can including your version of Gallery and a description of the flaw.

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team
 
cakruege

Joined: 2009-08-31
Posts: 6
Posted: Thu, 2009-09-03 11:25

Hi,

you misunderstand what I mean.

I'd like to protect the hole gallery3 directory with htaccess.
If user managment in gallery has a bug it's not so dangerous because only a small group of people can exploit it.
The simple uploader prevents useing htaccess. It's impossible to upload pictures while gallery is htaccess protected.
No cgi application should interfere with htaccess configuration.

Maybe protecting my gallery is against your 80/20 rule but for me gallery3 is unsuable, because I can't secure it enough for my needs.
If security is an important goal than you should care about people who like it secure.

about flash uploader itself:
-many many many one click hosters have good non-flash upload formulars with status information (status bar, estimated times, speed per second, etc.)
-multi file upload works good for ~5 single files or easier with .zip-upload
-no need to through away your flash loader but implement a really simple one, too
 
floridave
floridave's picture

Joined: 2003-12-22
Posts: 25966
Posted: Thu, 2009-09-03 13:25
Quote:
-many many many one click hosters have good non-flash upload formulars with status information (status bar, estimated times, speed per second, etc.)

If they are open source please post some examples, so we can have a look.

Please file a feature requests for your other requests.

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team
 
halu

Joined: 2009-09-09
Posts: 1
Posted: Wed, 2009-09-09 15:36

I can reproduce some of the above-mentioned problems, though I do not totally grasp what's causing them: I'm running the latest Gallery download (from today) and using FireFox 3.5 on a restricted area of my site (say www.blabla.com/restricted). The gallery3 dir is in the restricted dir, installation/setup went all smooth. However, when trying to upload photos, a IE8 popup comes straight up after selecting the photos. When I authenicate, Firefox crashes :| However: when using IE8 it works all smooth! So the problem is not really related to the httpauth but to the authentication handling by the flash uploader, which should be fixable I think (and hope!:))

If anyone has any suggestions/tips I could try to get it running fine in FF, I'm ready to test and see what happens :)
 
cakruege

Joined: 2009-08-31
Posts: 6
Posted: Wed, 2009-09-09 16:40

I don't think it's fixable. The problem is that the flash plugin uses IE.
Even if firefox don't crash it's annoying to double enter the password.
Flash as the only upload mechansim is bad.
 
floridave
floridave's picture

Joined: 2003-12-22
Posts: 25966
Posted: Wed, 2009-09-09 23:52
Quote:
Flash as the only upload mechansim is bad.

It is not the only way to add items, there is the server add module as well.
We are working on others. Only so much can be done with the little volunteer resources we have.

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team
 
floridave
floridave's picture

Joined: 2003-12-22
Posts: 25966
Posted: Thu, 2009-09-10 00:15

Oh, I see you have a ticket already:
http://sourceforge.net/apps/trac/gallery/ticket/703

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team
 
floridave
floridave's picture

Joined: 2003-12-22
Posts: 25966
Posted: Thu, 2009-09-10 03:09

Created a enhancement request:
http://sourceforge.net/apps/trac/gallery/ticket/738

Dave
_____________________________________________
Blog & G2 || floridave - Gallery Team