News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

Your attachment has failed security checks and cannot be uploaded

Started by badon, March 02, 2016, 07:52:35 AM

Previous topic - Next topic

badon

This is still a problem in the year 2016:

https://forum.coincompendium.com/index.php?topic=4513.msg20221#msg20221

Technology marches on, but we still can't rely on SMF for images. Maybe someone can explain how to gut the code to remove these security checks manually?

Suki

Regardless of the year, security measures still need to be applied.

There is a setting to disable extensive checks, do you have that setting on or off?

If you have that setting off and your images are still being blocked then we will have to see that image, perhaps upload it to an external image hosting site for us to take a look at it.

Disclaimer: unless otherwise stated, all my posts are personal and does not represent any views or opinions held by Simple Machines.

badon


Suki

I've checked your images and both of your files contains the opening php tag:  <?  which is why the extensive security check returns false.   The extensive security check explicitly looks for php and/or asp tags.

Could be a false positive but I find it weird that both formats has it exactly two times each.


Anyway, the "normal check" does return true since it doesn't check for php tags, make sure you do have the extensive check turned off and clean your forums cache. Also,make sure that the call to checkImageContents() respects the $modSetting entry for extensive checks.

Disclaimer: unless otherwise stated, all my posts are personal and does not represent any views or opinions held by Simple Machines.

badon

As you can see from my screenshot, extensive security checks are indeed turned off, and they always have been. I don't know what you're talking about with "make sure that the call to checkImageContents() respects the $modSetting entry for extensive checks" - if extensive checks are disabled, this seems irrelevant. Maybe you can tell me how to gut the "security checks" code? I'm pretty annoyed, and I don't care if it prevents some hypothetical attack. Making the forum unusable is unacceptable, and it has to go, as quickly as possible.

Suki

Disclaimer: unless otherwise stated, all my posts are personal and does not represent any views or opinions held by Simple Machines.


badon

Another file that fails security checks when security checks are disabled.


Suki

Need more info, whats your php version?  what libraries do you have installed? mods? do you have the "Re-encode potentially dangerous image attachments"  setting on?
Disclaimer: unless otherwise stated, all my posts are personal and does not represent any views or opinions held by Simple Machines.

badon

Quote from: Suki on October 03, 2016, 12:05:32 PM
Need more info, whats your php version?  what libraries do you have installed? mods? do you have the "Re-encode potentially dangerous image attachments"  setting on?

Re-encode is not enabled because we are preserving information and automatically modifying everything with degraded quality would be bad. I have attached screenshots of my forum mods installed, and my attachment settings. PHP version and Apache modules are below.

PHP Version 5.3.28

Installed modules:

core
http_core
mod_actions
mod_alias
mod_asis
mod_auth_basic
mod_auth_digest
mod_authn_alias
mod_authn_anon
mod_authn_dbm
mod_authn_default
mod_authn_file
mod_authz_dbm
mod_authz_default
mod_authz_groupfile
mod_authz_host
mod_authz_owner
mod_authz_user
mod_autoindex
mod_cache
mod_cern_meta
mod_cgi
mod_charset_lite
mod_dav
mod_dav_fs
mod_deflate
mod_dir
mod_disk_cache
mod_dumpio
mod_env
mod_expires
mod_file_cache
mod_filter
mod_headers
mod_imagemap
mod_include
mod_info
mod_log_config
mod_logio
mod_mime
mod_mime_magic
mod_negotiation
mod_php5
mod_reqtimeout
mod_rewrite
mod_setenvif
mod_so
mod_speling
mod_ssl
mod_status
mod_unique_id
mod_userdir
mod_usertrack
mod_version
mod_vhost_alias
prefork


badon

More files that allegedly fail security checks even though security checks are disabled.



badon

I just discovered a workaround for this bug that also isolates it. If post text is removed, the files will attach to the draft message successfully. Then add text, and post. I have been testing this workaround for about a week, and I have not encountered the bug. I just tested the workaround on a known problem-file, and it posted successfully.

badon

I also just discovered that when attaching multiple files, sometimes adding the text for the "final save" will trigger the bug. Then, when going back, the files will be a mess with duplicates and some of them unchecked. I check all of them, save WITHOUT TEXT, and only a few are still unchecked. Check those, save WITHOUT TEXT, and now all of the attachments are checked. Add text, save, and it works.

There is obvious something wrong in both the handling of the file attachments, and some bizarre interaction between the attachments and the post text.

badon

I just noticed SMF is somehow duplicating files. Some of them are missing, and some of them are duplicated. Weird.

badon

A series of screenshots that shows the addition of post text triggers the bug, even though the files are already attached successfully when the post is made without post text (with an error message).

badon

I just went back and unchecked the last file and saved the post, then all the files disappeared. Did they time-out and get deleted?

Also, could this bug be related to some kind of bizarre permissions problem? I'm running this on FreeBSD, and we don't nortmally have any problems with uploading attachments. We have an SMF 1.x forum on the same server that doesn't have any problems.

I'm going to try reattaching the files, and then unchecking the last one to see what happens. I'm going to uncheck them one at a time and save the post with text to identify which file is the problem file in combination with that particular post text.

Illori

are you using a drafts mod? if so uninstall it and see if you can still duplicate the issue.

Advertisement: