Advertisement:

Author Topic: Your attachment has failed security checks and cannot be uploaded  (Read 5871 times)

Offline badon

  • Jr. Member
  • **
  • Posts: 172
This is still a problem in the year 2016:

https://forum.coincompendium.com/index.php?topic=4513.msg20221#msg20221

Technology marches on, but we still can't rely on SMF for images. Maybe someone can explain how to gut the code to remove these security checks manually?

Offline Suki

  • SMF Super Hero
  • *******
  • Posts: 14,961
  • Kaizoku Jotei
    • SMF mods
Re:Your attachment has failed security checks and cannot be uploaded
« Reply #1 on: March 02, 2016, 11:00:22 AM »
Regardless of the year, security measures still need to be applied.

There is a setting to disable extensive checks, do you have that setting on or off?

If you have that setting off and your images are still being blocked then we will have to see that image, perhaps upload it to an external image hosting site for us to take a look at it.

But now you make me feel so ashamed
Because I've only got two hands
Well, I'm still fond of you, oh-ho-oh

Offline badon

  • Jr. Member
  • **
  • Posts: 172
Re:Your attachment has failed security checks and cannot be uploaded
« Reply #2 on: March 07, 2016, 01:05:13 AM »
Suki, here are 2 different formats of the same image that I was unable to attach to my post:

https://forum.coincompendium.com/index.php?topic=4562.msg20111#msg20111

Offline Suki

  • SMF Super Hero
  • *******
  • Posts: 14,961
  • Kaizoku Jotei
    • SMF mods
Re:Your attachment has failed security checks and cannot be uploaded
« Reply #3 on: March 07, 2016, 11:03:16 AM »
I've checked your images and both of your files contains the opening php tag:  <?  which is why the extensive security check returns false.   The extensive security check explicitly looks for php and/or asp tags.

Could be a false positive but I find it weird that both formats has it exactly two times each.


Anyway, the "normal check" does return true since it doesn't check for php tags, make sure you do have the extensive check turned off and clean your forums cache. Also,make sure that the call to checkImageContents() respects the $modSetting entry for extensive checks.

But now you make me feel so ashamed
Because I've only got two hands
Well, I'm still fond of you, oh-ho-oh

Offline badon

  • Jr. Member
  • **
  • Posts: 172
Re:Your attachment has failed security checks and cannot be uploaded
« Reply #4 on: March 08, 2016, 08:47:15 PM »
As you can see from my screenshot, extensive security checks are indeed turned off, and they always have been. I don't know what you're talking about with "make sure that the call to checkImageContents() respects the $modSetting entry for extensive checks" - if extensive checks are disabled, this seems irrelevant. Maybe you can tell me how to gut the "security checks" code? I'm pretty annoyed, and I don't care if it prevents some hypothetical attack. Making the forum unusable is unacceptable, and it has to go, as quickly as possible.

Offline Suki

  • SMF Super Hero
  • *******
  • Posts: 14,961
  • Kaizoku Jotei
    • SMF mods
Re: Your attachment has failed security checks and cannot be uploaded
« Reply #5 on: March 09, 2016, 10:45:20 AM »
Attach your Sources/Subs-Post.php
But now you make me feel so ashamed
Because I've only got two hands
Well, I'm still fond of you, oh-ho-oh

Offline badon

  • Jr. Member
  • **
  • Posts: 172
Re: Your attachment has failed security checks and cannot be uploaded
« Reply #6 on: September 03, 2016, 12:51:41 AM »
Here's is my Subs-Post.php

Offline badon

  • Jr. Member
  • **
  • Posts: 172
Re: Your attachment has failed security checks and cannot be uploaded
« Reply #7 on: September 30, 2016, 04:47:06 PM »
Another file that fails security checks when security checks are disabled.

Offline badon

  • Jr. Member
  • **
  • Posts: 172
Re: Your attachment has failed security checks and cannot be uploaded
« Reply #8 on: October 01, 2016, 08:26:40 PM »
Hello?

Offline Suki

  • SMF Super Hero
  • *******
  • Posts: 14,961
  • Kaizoku Jotei
    • SMF mods
Re: Your attachment has failed security checks and cannot be uploaded
« Reply #9 on: October 03, 2016, 12:05:32 PM »
Need more info, whats your php version?  what libraries do you have installed? mods? do you have the "Re-encode potentially dangerous image attachments"  setting on?
But now you make me feel so ashamed
Because I've only got two hands
Well, I'm still fond of you, oh-ho-oh

Offline badon

  • Jr. Member
  • **
  • Posts: 172
Re: Your attachment has failed security checks and cannot be uploaded
« Reply #10 on: October 14, 2016, 10:12:57 PM »
Need more info, whats your php version?  what libraries do you have installed? mods? do you have the "Re-encode potentially dangerous image attachments"  setting on?

Re-encode is not enabled because we are preserving information and automatically modifying everything with degraded quality would be bad. I have attached screenshots of my forum mods installed, and my attachment settings. PHP version and Apache modules are below.

PHP Version 5.3.28

Installed modules:

core
http_core
mod_actions
mod_alias
mod_asis
mod_auth_basic
mod_auth_digest
mod_authn_alias
mod_authn_anon
mod_authn_dbm
mod_authn_default
mod_authn_file
mod_authz_dbm
mod_authz_default
mod_authz_groupfile
mod_authz_host
mod_authz_owner
mod_authz_user
mod_autoindex
mod_cache
mod_cern_meta
mod_cgi
mod_charset_lite
mod_dav
mod_dav_fs
mod_deflate
mod_dir
mod_disk_cache
mod_dumpio
mod_env
mod_expires
mod_file_cache
mod_filter
mod_headers
mod_imagemap
mod_include
mod_info
mod_log_config
mod_logio
mod_mime
mod_mime_magic
mod_negotiation
mod_php5
mod_reqtimeout
mod_rewrite
mod_setenvif
mod_so
mod_speling
mod_ssl
mod_status
mod_unique_id
mod_userdir
mod_usertrack
mod_version
mod_vhost_alias
prefork


Offline badon

  • Jr. Member
  • **
  • Posts: 172
Re: Your attachment has failed security checks and cannot be uploaded
« Reply #11 on: October 27, 2016, 05:12:09 AM »
More files that allegedly fail security checks even though security checks are disabled.

Offline badon

  • Jr. Member
  • **
  • Posts: 172
Re: Your attachment has failed security checks and cannot be uploaded
« Reply #12 on: December 13, 2016, 08:05:22 PM »
We're collecting files that trigger the bug here:

https://forum.coincompendium.com/index.php?topic=5750.0

Offline badon

  • Jr. Member
  • **
  • Posts: 172
Re: Your attachment has failed security checks and cannot be uploaded
« Reply #13 on: January 11, 2017, 04:05:29 AM »
Any news about this bug?