Hey,
I’m 99% sure this is happening because the quote in the file name is triggering a rule in PHP’s mod_security module – and that it will be happening in standard Gravity Forms upload fields.
I actually noticed I have the same issue on my demo site.
You might need to disable mod_security — you would need to for it to work with the standard GF upload field. I’m just not sure what level of risk doing this is.
I’ll have a bit of a play and see if I can get the plugin to strip the quotes out before uploading to the server. Might help.
Hey,
So there doesn’t appear to be the ability to rename files before they’re sent to the server – which means we can’t remove the quotes that are triggering mod_security.
If you still have a Gravity Forms license I suggest you check if the same issue is happening for the standard file upload fields and contact them. I would assume they have a standard advice on how to disable mod_security and whether or not it’s a good idea.
If you’re feeling confident, this is what I’ve used to disable mod_security to allow files with a quote in the file name.
You place this at the start of your .htaccess file on the web server (so you’ll need access to the files on the server, e.g. FTP or cpanel access)
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
What I can do is have a quick play to see if I can detect when mod_security is enabled and stop uploads with quotes on them. That way we can show a useful error message to the form user. E.g. “Error: file name contains a quote. Please rename file to remove ‘ and try again”
OK – even detecting if mod_security is enabled is unreliable. The only reliable way is onerous on the server and would not be a good idea.
What I will do is add a setting in the Forms -> Settings -> Ajax Upload menu to allow an error message and stop the upload if the file name contains a quote.
Not a bad compromise considering with the standard Gravity Forms field it just fails to work … which likely leads to the loss of any other information put in the form.
Thread Starter
usflrt
(@usflrt)
Thank you! Yes, Gravity Forms wiped their hands of it and offered no help with regards to stopping uploads, writing warnings, or renaming files before upload. My host offered to whitelist the mod_security rule, but I decided to leave it as is and include in the form a warning not to include those characters in a file for upload.
All that is to say that, yes, if you can build this error message and stop the upload of a file with a quote that will be not a bad compromise at all. I appreciate you taking the time to look into it and find a solution.
Hey,
I just want to confirm you got the update and instead of getting a worthless server error message, you now get a meaningful error message.