Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Inline images breaks glpi app and even makes debugging troublesome #16309

Closed
2 tasks done
valentindragan opened this issue Jan 5, 2024 · 1 comment
Closed
2 tasks done

Comments

@valentindragan
Copy link
Contributor

valentindragan commented Jan 5, 2024

Code of Conduct

  • I agree to follow this project's Code of Conduct

Is there an existing issue for this?

  • I have searched the existing issues

Version

10.3.335

Bug description

The way the inline attachment feature is created, leaves room for the entire application to break.
One user uploaded a 2.18MB JFIF image, resolution 4600x3600, using the inline drag and drop attachment feature.
Hence the Tickets page, with "process(assigned)" selected, was not responding anymore, as the ajax page requesting the results was crushing due to maximum execution time exceeded.
Even using my MySQL client was not easy to use for debugging because the result of the query select id, content from glpi_tickets where id = {ticketId} had 12MB because of the created blob. Every time I ran a query for finding the big size row, I had to open another tab, because that last one was not responding anymore.

content_2.txt

Relevant log output

[Fri Jan 05 11:24:24.467989 2024] [proxy_fcgi:error] [pid 1946752:tid 140535876540160] (70007)The timeout specified has expired: [client 172.31.252.96:64540] AH01075: Error dispatching request to : (polling), referer: https://myapp/front/ticket.php?is_deleted=0&as_map=0&browse=0&criteria%5B0%5D%5Blink%5D=AND&criteria%5B0%5D%5Bfield%5D=12&criteria%5B0%5D%5Bsearchtype%5D=equals&criteria%5B0%5D%5Bvalue%5D=2&itemtype=Ticket&start=0&_glpi_csrf_token=328b7cde1fb5db58c40ad8e9a65e124a1a77d0ae2f2c0d082dcb002d051dc8d9&sort%5B%5D=19&order%5B%5D=DESC

Page URL

/front/ticket.php

Steps To reproduce

  1. save the attached ticket.content to a ticket.
  2. execute a search that includes that ticket
  3. the response will be very slow or the application will crush

Your GLPI setup information

Operating system: Linux ............. 4.18.0-477.21.1.el8_8.x86_64 #1 SMP Thu Jul 20 08:38:27 EDT 2023 x86_64
PHP 7.4.33 fpm-fcgi (Core, PDO, Phar, Reflection, SPL, SimpleXML, Zend OPcache, bz2, calendar, cgi-fcgi, ctype, curl, date, dom,
exif, fileinfo, filter, ftp, gd, gettext, hash, iconv, intl, json, ldap, libxml, mbstring, mysqli, mysqlnd, openssl, pcre,
pdo_mysql, pdo_sqlite, posix, session, shmop, sockets, sqlite3, standard, sysvmsg, sysvsem, sysvshm, tokenizer, xml, xmlreader,
xmlwriter, xsl, zip, zlib)
Setup: max_execution_time="600" memory_limit="512M" post_max_size="64M" safe_mode="" session.save_handler="files"
upload_max_filesize="10M"
Software: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1k mod_auth_gssapi/1.6.1 ()
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
Server Software: MariaDB Server
Server Version: 10.3.35-MariaDB-log
Server SQL Mode: STRICT_TRANS_TABLES,ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
Parameters: glpi_myapp@localhost/glpi_myapp
Host info: Localhost via UNIX socket

PHP version (7.4.33) is supported.PHP version (7.4.33) is supported.
Sessions configuration is OK.Sessions configuration is OK.
Allocated memory is sufficient.Allocated memory is sufficient.
mysqli extension is installed.mysqli extension is installed.
Following extensions are installed: dom, fileinfo, json, simplexml.Following extensions are installed: dom, fileinfo, json, simplexml.
curl extension is installed.curl extension is installed.
gd extension is installed.gd extension is installed.
intl extension is installed.intl extension is installed.
libxml extension is installed.libxml extension is installed.
zlib extension is installed.zlib extension is installed.
The constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present.The constant SODIUM_CRYPTO_AEAD_XCHACHA20POLY1305_IETF_NPUBBYTES is present.
Database engine version (10.3.35) is supported.Database engine version (10.3.35) is supported.
No files from previous GLPI version detected.No files from previous GLPI version detected.
The log file has been created successfully.The log file has been created successfully.
Write access to /var/www/html/glpi-myapp/backend/files/_cache has been validated. Write access to /var/www/html/glpi-myapp/backend/config has been validated. Write access to /var/www/html/glpi-myapp/backend/files/_cron has been validated. Write access to /var/www/html/glpi-myapp/backend/files has been validated. Write access to /var/www/html/glpi-myapp/backend/files/_dumps has been validated. Write access to /var/www/html/glpi-myapp/backend/files/_graphs has been validated. Write access to /var/www/html/glpi-myapp/backend/files/_lock has been validated. Write access to /var/www/html/glpi-myapp/backend/files/_pictures has been validated. Write access to /var/www/html/glpi-myapp/backend/files/_plugins has been validated. Write access to /var/www/html/glpi-myapp/backend/files/_rss has been validated. Write access to /var/www/html/glpi-myapp/backend/files/_sessions has been validated. Write access to /var/www/html/glpi-myapp/backend/files/_tmp has been validated. Write access to /var/www/html/glpi-myapp/backend/files/_uploads has been validated.Write access to /var/www/html/glpi-myapp/backend/files/_cache has been validated.
Write access to /var/www/html/glpi-myapp/backend/config has been validated.
Write access to /var/www/html/glpi-myapp/backend/files/_cron has been validated.
Write access to /var/www/html/glpi-myapp/backend/files has been validated.
Write access to /var/www/html/glpi-myapp/backend/files/_dumps has been validated.
Write access to /var/www/html/glpi-myapp/backend/files/_graphs has been validated.
Write access to /var/www/html/glpi-myapp/backend/files/_lock has been validated.
Write access to /var/www/html/glpi-myapp/backend/files/_pictures has been validated.
Write access to /var/www/html/glpi-myapp/backend/files/_plugins has been validated.
Write access to /var/www/html/glpi-myapp/backend/files/_rss has been validated.
Write access to /var/www/html/glpi-myapp/backend/files/_sessions has been validated.
Write access to /var/www/html/glpi-myapp/backend/files/_tmp has been validated.
Write access to /var/www/html/glpi-myapp/backend/files/_uploads has been validated.
For security reasons, SELinux mode should be Enforcing.For security reasons, SELinux mode should be Enforcing.
PHP 7.4 official support has ended. An upgrade to a more recent PHP version is recommended.PHP 7.4 official support has ended. An upgrade to a more recent PHP version is recommended.
Web server root directory configuration seems safe.Web server root directory configuration seems safe.
Sessions configuration is secured.Sessions configuration is secured.
OS and PHP are relying on 64 bits integers.OS and PHP are relying on 64 bits integers.
exif extension is installed.exif extension is installed.
ldap extension is installed.ldap extension is installed.
openssl extension is installed.openssl extension is installed.
Following extensions are installed: bz2, Phar, zip.Following extensions are installed: bz2, Phar, zip.
Zend OPcache extension is installed.Zend OPcache extension is installed.
Following extensions are installed: ctype, iconv, mbstring. Following extensions are not present: sodium.Following extensions are installed: ctype, iconv, mbstring.
Following extensions are not present: sodium.
Write access to /var/www/html/glpi-myapp/backend/marketplace has been validated.Write access to /var/www/html/glpi-myapp/backend/marketplace has been validated.
Timezones seems loaded in database.Timezones seems loaded in database.

Anything else?

This feature caused us problems more than once and i did not manage to find a setting for resizing images before upload, or even stopping the inline attachment feature altogether.

  • images should be automatically resized before being inline attached
  • or the inline attachment should just be reference in the content field, and save the image somewhere else (quite like the git editor I am adding this bug on).
  • there should be a setting for stopping the inline upload feature altogether
@cedric-anne
Copy link
Member

or the inline attachment should just be reference in the content field, and save the image somewhere else (quite like the git editor I am adding this bug on).

This is what is supposed to be done, but with big images, the extraction of image blob into a dedicated document file may fail. To prevent this, you could change the pcre.backtrack_limit to increase it.

This issue will be fixed in GLPI 10.1, but existing tickets will not be fixed as it is nearly impossible to do it automatically.

See #13606 for more details.

@cedric-anne cedric-anne closed this as not planned Won't fix, can't repro, duplicate, stale Jan 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants