File upload errors, can we figure this out, admins and devs please read

As far as I can tell, file uploads in 2.5 are problematic to many people still, based on the comments I read here. I posted a far too verbose question on the matter, and it got no traction, so I wanted to sum it up here, in hopes we can find out what is going on.

There are all these suggestions, some work for a few, others work for a few others. Everyone is stabbing at this in a random way, yet the code can tell us just what is going on. I just can not understand how to get the code to debug in a way that is helpful. Should I post a question to the bug database?

My summary:
Is it a good idea to disable mod_security on a site, or on even a specific file. If your host has mod_security on, it is more than likely on for a good reason. Now we have a publicly known file that is excluded from your hosts security measures. Everyone blindly toggles this off, just to get images to upload, I am yet to see anyone explain what repercussions this may have. I think I know why it is bad, I personally would not turn mod_security off.

When I make a failed upload, I see this in my apache log:
example.com ip.add.re.ss – – [02/Apr/2008:04:26:15 -0700] “POST /wp-admin/async-upload.php HTTP/1.1” 401 477 “-” “Adobe Flash Player

For me, I know what that means, and just have to remove http auth security to get past that, but I do not want to. The http auth’d headers should be being passed to the flash player. I posted a bug in the bug tracker, it was slated as low priority future dot release.

This can be debugged, there is a means to do it, I need a dev to explain the file tree a bit to me so I can write a post on how to debug more verbosely than “HTTP error”. It seems very silly to me for users to randomly stab at this problem, when we could tackle it in a very specific way and solve it.

Setting define(‘WP_DEBUG’, true); in config does nothing to tell me more about “HTTP error.” or “An error occurred in the upload. Please try again later.”

Digging into the code, I see wp-includes/script-loader.php is where the “HTTP error.” comes from. That blows horns, does not tell me anything, vague.

Here is the comment above the error line in the above file:
// these error messages came from the sample swfupload js, they might need changing.

This looks promising:
this.addSetting(“debug_enabled”, init_settings.debug, false);
it is in upload.js

I think this boils down to the devs have used the over-ride feature to send out their own error messages from swfupload.js, and it was not thorough.

It is a guessing game now, the flash uploader source has the means for a full debug console in screen, how do you turn it on?

There is a great debug system in the flash javascript upload interface. So rather than getting this generic HTTP error that is part of a case statement that grabs any number of possible errors, I could potentially see the real error.

In my case, I bet it would say http 401 or something to that effect. Others may get a write permissions error, others something else. Either way, they get something that is not part of this guessing game.

Can someone who knows the code a bit better than me tell me where I need to go to get a little assistance on how to get verbose debugging messages. I tried a few echos and doc.writes, but those all seem to get suppressed somehow.

Final thoughts:
* Am I way out of line in though here…
We have a .swf made to accept input and do media uploads. It is not possible to secure that file via wordpress, I can go to any wp 2.5 install and hit that url:
http://example.com/wp-includes/js/swfupload/swfupload_f9.swf
I also know the entire source of the JS that runs it.

I think the next logical step would be to exploit this, and pump GB of images into users web storage areas. I hope I an wrong, but so far, that is what I am getting out of this.
My original long post is here:
http://wordpress.org/support/topic/165565?replies=1#post-721499