Make WordPress Core

Opened 14 years ago

Closed 14 years ago

Last modified 13 years ago

#10825 closed defect (bug) (wontfix)

Flash Uploader Breaks with HTTP Authentication

Reported by: selling's profile selling Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.8.4
Component: Upload Keywords:
Focuses: Cc:


We have a fresh install of WordPress 2.8.4 (not an upgrade) and the flash based uploader fails with 'HTTP error' on the upload page in Firefox.

We do not use mod_security and I disabled all Firefox plugins I had installed as suggested by bug #10153 but the problem persists.

I found that the flash uploader fails with 'HTTP error' when HTTP basic authentication is enabled. The site that has this problem is a development site and we cannot remove authentication because the dev site is not legally approved for the general public.

For the record, here are the Firefox plugins I have installed:

Download Statusbar
Tamper Data
User Agent Switcher

Incidently, WordPress does work with the above Firefox plugins when HTTP authentication is disabled.

I'm using Firefox 3.0.14 (Linux) and Flash Firefox is configured to block pop-up windows; Javascript is not allowed to move/resize existing windows, raise/lower windows, hide the status bar, or change the status bar text; and not accept 3rd party cookies.

The installed WordPress plugins are Akismet version 2.2.6 and Dagon Design Import Users version 1.2.

Change History (6)

#1 @johnbillion
14 years ago

FYI the workaround for this is to change your .htaccess rules so that BasicAuth isn't used on requests that the Flash uploader makes. Details here:

#2 @hakre
14 years ago

But why doesn't the flash plugin support that? It should use the browser for doing the http requests, shouldn't it?

False: "The SWF tried to upload a file to a server that requires authentication (such as a user name and password). During upload, Flash Player does not provide a means for users to enter passwords." Flash CS3 (9.0) Documentation

So there is no way to integrate flash uploads with httpd auth properly. keep this in mind for security reasons.

This is a snippet for a .htaccess to exclude async-upload.php from requiering authentication:

# Exclude the file upload script from authentication
<FilesMatch "(async-upload\.php)$">
Satisfy Any
Order allow,deny
Allow from all
Deny from none

More information is available in the link posted by johnbillion.

#3 @hakre
14 years ago

  • Resolution set to wontfix
  • Status changed from new to closed

#4 @Denis-de-Bernardy
14 years ago

  • Milestone Unassigned deleted

#5 @hakre
13 years ago

In conjunction with HTTPS you can run into additional problems with the flash uploader because of certificates.

#6 @hakre
13 years ago

Slightly Related: #14648

Note: See TracTickets for help on using tickets.