See berthubert/trifecta#38

When content is uploaded that contains embedded scripts, those scripts should be prevented to execute.

The web protocol that's used is hardcoded to http. This should be configurable.

If a request for slots is made using the syntax introduced in version 0.3.0 of the XEP, then the result should use the same syntax.

In Openfire, it is desirable to have a 'cluster-aware' slot manager. See igniterealtime/openfire-httpFileUpload-plugin#39

To facilitate this, the implementation of SlotManager needs to become configurable.

When i try send file the serve response this
org.jivesoftware.smack.SmackException: No upload service specified and also none discovered.

When a file is being uploaded, an optional content type is provided.

The implementation needs to persist this data for later use, as Java cannot reliably detect the content type of file.

Some methods defined in interfaces have throw statements that are not used. They should be removed.

The version of Google's Guava library that is used has associated security vulnerability reports. It should be updated.

The default maximum file size is currently 5MB (and configurable, see #5 ). This appears to introduce issues for many user, which isn't to far-fetched, realizing that a photo snapped with an up-to-date phone can easily be several megabytes. The default should be raised.

Files that are uploaded by clients should be scanned (for viruses, malware, etc).

One idea is to provide an integration with a virus scanner, such as the open source ClamAV scanner.

Hi !

I need some clarifications :)

A short summary of my settings:

• 2 Openfire servers running into 2 differents domains;
• 2 Converse.js clients running at each extremities.
  That gives:
  Client 1 (converse.js) <-> [email protected] <-> [email protected] <-> Client 2 (converse.js)
  Everything works fine (chat, group chat, HTTP-upload thx to the dedicated plug-in).

For some reasons, I would like to use distinct ports for Chat and HTTP-upload.
I noticed that I could configure the HTTP-upload plug-in using the properties below:

• plugin.httpfileupload.announcedWebHost -> DNS name of the local Openfire server
• plugin.httpfileupload.announcedWebPort -> 7444 (port different from 7443)
  The new port is taken into account by the attempt of transfer (could see that in Openfire logs), unfortunately the port is not actually opened on Openfire host :(
  Is this the expected behaviour ?

I tried to use an Nginx as external Web server (running on another machine).
But I noticed that some dependencies from Jetty are somehow hardcoded in the source code of the httpfileuploadcomponent.
In addition, when trying to upload files from Converse.js, the intermediate UUID sub-folder (in the upload path) is not created in the target web context root folder 'httpfileupload' hosted by the Nginx server.
My understanding is that I can't run another Web server than Jetty, the one embedded into Openfire server. No chance to run another type of Web server as Nginx, and on another server than Openfire.
Do you confirm ?

Many many thx for your clarification.
KR
ErwanF

Various dependencies have seen new releases. As a matter of maintenance, this project should apply the updates.

The file-based repositories will automatically start deleting old files, when the amount of space used by the repository grows over a certain threshold.

This threshold should be configurable, as should it be possible to disable this functionality completely.

When running on a different domain than the domain that's hosting the client (eg: a HTTP-based XMPP client), then CORS headers are needed to make the browser understand that the service can be used by the client.

For starters, lets add a flag that simply adds a wildcard CORS header, allowing all access. Future improvements could include domain-specific settings.

I wonder, how to use this component with Openfire server.
When I read the plugin description in admin console it seems that everything should work without my interference. But it doesn't.

I installed openfire plugin "Http file upload" and can't see any changes in admin console except one new row about installed plugin. No new ports in server information no new records in external components.
I also don't see any new listening sockets in netstat.

I'm trying to send a file from Psi+ to Conversations.
In XML console I see this:

<iq from='[email protected]' id='aae6a' to='httpfileupload.koshka.ddns.net' type='get'><request xmlns='urn:xmpp:http:upload'><filename>DSC03184.jpg</filename><size>796982</size><content-type>image/jpeg</content-type></request></iq>

<iq id="aae6a" from="httpfileupload.koshka.ddns.net" type="result" to="[email protected]/Psi+">
<slot xmlns="urn:xmpp:http:upload">
<put>https://koshka.ddns.net:7443/httpfileupload/b80a76af-7b32-4393-9a3d-cc42cb7f9751/DSC03184.jpg</put>
<get>https://koshka.ddns.net:7443/httpfileupload/b80a76af-7b32-4393-9a3d-cc42cb7f9751/DSC03184.jpg</get>
</slot>
</iq>

After which I get message "Upload failed connection refused". Perhaps it means that nobody is listening port 7443. Why?
And why 7443? I didn't see this number anywhere.
Why the plugin works to invite client to send file but doesn't work to actually receive it?

Or maybe description inside Openfire is misleading and I should use the way described here: run as a separate service and manually registering it as a external component in Openfire?

Allow for files to expire and be purged after some kind of configurable interval.

The Maven project description defines that the project uses Java 1.7, but code is used that got introduced in Java 8. The easiest solution for this is to update the Maven project description to match the implementation.

Hi Guus,
your plugin makes image transfer with openfire a real pleasure. I was using for more than 5 years standard slow p2p transfer cause I was absolutely unaware about the XEP-363 implementation.

I got an Issue I don't really know if it is caused by the httpfileupload-plugin espcially the used Jetty-Webserver or my used windows jabber client (gajim with urlimagepreviewplugin).
The problem is that gajim can't show a preview of a picture/image sent with httpfileupload because the image preview plugin can't get the mime-type from the Jetty Webserver. So when sending an image (for example with conversations to gajim), I only get a link to the server (https://mydomain.tld:7443/http-bind/.....jpg) instead of a preview of that image.

When I try to "curl -I" the link of the Image I only get :
HTTP/1.1 200 OK Date: Thu, 14 Mar 2019 07:47:27 GMT Cache-Control: max-age=31536000 ETag: 1530580421 Content-Length: 149726 Server: Jetty(9.4.12.v20180830)
So the mime type is missing.
I am using your plugin integrated in Openfire. So I don't know if it is caused by an old Jetty Version or may be just a configuration issue.
Thanks for the info.

Hi,

there is a hardcoded maximum of uploaded files at 5 MB.
It is possible to make this value changeable or set it fix at 30 or 50 MB?

That would be great... ;-)
Greetz...

The component should get functionality that allows it to store uploaded content permanently on the file system.

Openfire version 4.2.3

A User of Gajim reported he gets from his server a PUT URL like this:

https://server.server/sLFKK-HZYGyjjIH1/подборка.txt

i cant upload to a URL like that with python

And some other nice people told me that URLs sent from server should be encoded

Hi and thank you for your great plugin
i have problem starting this
when i start i get exception:
[main] INFO nl.goodbytes.xmpp.xep0363.Launcher - Public address(es):
[main] INFO nl.goodbytes.xmpp.xep0363.Launcher - * xxx.xxx.xxx.xxx
[main] INFO nl.goodbytes.xmpp.xep0363.Launcher - *
[main] INFO nl.goodbytes.xmpp.xep0363.Launcher - Starting external component with endpoint http://xxx.xxx.xxx.xxx:12121
[main] INFO nl.goodbytes.xmpp.xep0363.Launcher - maxFileSize: 52428800
[main] INFO nl.goodbytes.xmpp.xep0363.Launcher - Starting repository...
[main] INFO nl.goodbytes.xmpp.xep0363.repository.AbstractFileSystemRepository - Initialized repository in: C:\Users\ADMINI~1\AppData\Local\Temp\2\xmppfileupload5004533732279233748
[main] INFO nl.goodbytes.xmpp.xep0363.Launcher - Starting webserver...
[main] INFO org.eclipse.jetty.util.log - Logging to org.slf4j.impl.SimpleLogger(org.eclipse.jetty.util.log) via org.eclipse.jetty.util.log.Slf4jLog
[main] INFO org.eclipse.jetty.util.log - jetty-1.2.0
[main] INFO org.eclipse.jetty.util.log - Started [email protected]:12121
[main] INFO nl.goodbytes.xmpp.xep0363.Launcher - Webserver started at xxx.xxx.xxx.xxx:12121
[main] ERROR nl.goodbytes.xmpp.xep0363.Launcher - An unexpected exception occurred!
org.xmpp.component.ComponentException: internal-server-error
at org.jivesoftware.whack.ExternalComponent.connect(ExternalComponent.java:219)
at org.jivesoftware.whack.ExternalComponentManager.addComponent(ExternalComponentManager.java:221)
at org.jivesoftware.whack.ExternalComponentManager.addComponent(ExternalComponentManager.java:201)
at nl.goodbytes.xmpp.xep0363.Launcher.start(Launcher.java:345)
at nl.goodbytes.xmpp.xep0363.Launcher.main(Launcher.java:232)
[Shutdown] INFO org.eclipse.jetty.util.log - Shutdown hook executing

Hi! Is there any way to remove file uploaded by this plugin using API ?

To be able to manage slots in a cluster-aware cache in Openfire, the content of that cache needs to implement Serializable.

Disco-info responses should include the maximum allowed file size. It currently includes the appropriate element, but fails to include the actual value:

<x xmlns="jabber:x:data" type="result">
  <field var="FORM_TYPE" type="hidden">
    <value>urn:xmpp:http:upload:0</value>
  </field>
  <field var="max-file-size"/>
</x>

The code currently uses UUID identifiers to refer to uploads. UUIDs were chosen as they have two qualities:

• They're unique, preventing duplicates
• They are random (and therefore used to prevent people from guessing a value)

It seems that the last part might is not necessarily provide as much security as that was assumed when creating this code. UUID's implementation does not add that much randomness into its value. See https://neilmadden.blog/2018/08/30/moving-away-from-uuids/

It should be considered to replace (or augment) the usage of UUID to improve the security aspect of things. Care should be taken to not compromise the uniqueness-aspect of the identifier that's used.

The component launches a web server to handle the HTTP requests. This server, by default, is active on the root context of the webserver (eg: http://example.org/). It should be possible to set an alternative context root value (eg: http://example.org/alternative/) for either the context used on the webserver itself, or the announced address (which would benefit reverse proxy configuration), or both.

When we set --announcedWebProtocol parameter to https, how we can configure jetty server to support ssl?

When I request a solt to upload the file, its returning slot download and upload uri with port.
I have done proxy-path config for those ports because I dont want to expose those ports to public,
But getSlot method returning with ports.

Please see the response object below

{
"type": "slot",
"download": "**https://communicationqa.dhi-edu.com:**7443**/**httpfileupload/ZmbOvMB8HQI5Bjfzp1W5MzFmQ0Y/018902.pdf",
"upload": {
"url": "**https://communicationqa.dhi-edu.com:7443**/httpfileupload/ZmbOvMB8HQI5Bjfzp1W5MzFmQ0Y/018902.pdf"
}
}

Please help how to avoid ports as part of download and upload uri

When I try to upload the file using put method, it is throwing the bellow exception

2024.01.09 15:57:05 INFO [Jetty-QTP-BOSH-1115]: nl.goodbytes.xmpp.xep0363.Servlet - Processing PUT request... (127.0.0.1 submitting to /httpfileupload/HSOuN8Kx-9C1qlzkpxFlx_AY8Kc/Screenshot%202023-12-30%20at%2010-25-04%20DataEntryPortal.png)

2024.01.09 15:57:05 INFO [Jetty-QTP-BOSH-1115]: nl.goodbytes.xmpp.xep0363.Servlet - ... responded with BAD_REQUEST. Content length in request (2) does not correspond with slot size (213592).

Hello,

Can you please share the xmpp server configuration in order to run this project successfully?

In version 1.6.0, an optional malware scanner can be configured.

If this is not configured, then the launcher throws this NullPointerException upon startup:

[main] INFO nl.goodbytes.xmpp.xep0363.Launcher - Starting malware scanner...
[main] ERROR nl.goodbytes.xmpp.xep0363.Launcher - An unexpected exception occurred!
java.lang.NullPointerException: Cannot invoke "nl.goodbytes.xmpp.xep0363.MalwareScanner.initialize()" because "this.malwareScanner" is null
	at nl.goodbytes.xmpp.xep0363.MalwareScannerManager.initialize(MalwareScannerManager.java:45)
	at nl.goodbytes.xmpp.xep0363.Launcher.start(Launcher.java:406)
	at nl.goodbytes.xmpp.xep0363.Launcher.main(Launcher.java:306)