Advertisement:

Author Topic: Your attachment has failed security checks and cannot be uploaded  (Read 33568 times)

Offline badon

  • Jr. Member
  • **
  • Posts: 185
This is still a problem in the year 2016:

https://forum.coincompendium.com/index.php?topic=4513.msg20221#msg20221

Technology marches on, but we still can't rely on SMF for images. Maybe someone can explain how to gut the code to remove these security checks manually?

Offline Suki

  • SMF Super Hero
  • *******
  • Posts: 14,973
  • Kaizoku Jotei
    • SMF mods
Re:Your attachment has failed security checks and cannot be uploaded
« Reply #1 on: March 02, 2016, 11:00:22 AM »
Regardless of the year, security measures still need to be applied.

There is a setting to disable extensive checks, do you have that setting on or off?

If you have that setting off and your images are still being blocked then we will have to see that image, perhaps upload it to an external image hosting site for us to take a look at it.

I'm not a criminal.
I'm not a rapist.

Offline badon

  • Jr. Member
  • **
  • Posts: 185
Re:Your attachment has failed security checks and cannot be uploaded
« Reply #2 on: March 07, 2016, 01:05:13 AM »
Suki, here are 2 different formats of the same image that I was unable to attach to my post:

https://forum.coincompendium.com/index.php?topic=4562.msg20111#msg20111

Offline Suki

  • SMF Super Hero
  • *******
  • Posts: 14,973
  • Kaizoku Jotei
    • SMF mods
Re:Your attachment has failed security checks and cannot be uploaded
« Reply #3 on: March 07, 2016, 11:03:16 AM »
I've checked your images and both of your files contains the opening php tag:  <?  which is why the extensive security check returns false.   The extensive security check explicitly looks for php and/or asp tags.

Could be a false positive but I find it weird that both formats has it exactly two times each.


Anyway, the "normal check" does return true since it doesn't check for php tags, make sure you do have the extensive check turned off and clean your forums cache. Also,make sure that the call to checkImageContents() respects the $modSetting entry for extensive checks.

I'm not a criminal.
I'm not a rapist.

Offline badon

  • Jr. Member
  • **
  • Posts: 185
Re:Your attachment has failed security checks and cannot be uploaded
« Reply #4 on: March 08, 2016, 08:47:15 PM »
As you can see from my screenshot, extensive security checks are indeed turned off, and they always have been. I don't know what you're talking about with "make sure that the call to checkImageContents() respects the $modSetting entry for extensive checks" - if extensive checks are disabled, this seems irrelevant. Maybe you can tell me how to gut the "security checks" code? I'm pretty annoyed, and I don't care if it prevents some hypothetical attack. Making the forum unusable is unacceptable, and it has to go, as quickly as possible.

Offline Suki

  • SMF Super Hero
  • *******
  • Posts: 14,973
  • Kaizoku Jotei
    • SMF mods
Re: Your attachment has failed security checks and cannot be uploaded
« Reply #5 on: March 09, 2016, 10:45:20 AM »
Attach your Sources/Subs-Post.php
I'm not a criminal.
I'm not a rapist.

Offline badon

  • Jr. Member
  • **
  • Posts: 185
Re: Your attachment has failed security checks and cannot be uploaded
« Reply #6 on: September 03, 2016, 12:51:41 AM »
Here's is my Subs-Post.php

Offline badon

  • Jr. Member
  • **
  • Posts: 185
Re: Your attachment has failed security checks and cannot be uploaded
« Reply #7 on: September 30, 2016, 04:47:06 PM »
Another file that fails security checks when security checks are disabled.

Offline badon

  • Jr. Member
  • **
  • Posts: 185
Re: Your attachment has failed security checks and cannot be uploaded
« Reply #8 on: October 01, 2016, 08:26:40 PM »
Hello?

Offline Suki

  • SMF Super Hero
  • *******
  • Posts: 14,973
  • Kaizoku Jotei
    • SMF mods
Re: Your attachment has failed security checks and cannot be uploaded
« Reply #9 on: October 03, 2016, 12:05:32 PM »
Need more info, whats your php version?  what libraries do you have installed? mods? do you have the "Re-encode potentially dangerous image attachments"  setting on?
I'm not a criminal.
I'm not a rapist.

Offline badon

  • Jr. Member
  • **
  • Posts: 185
Re: Your attachment has failed security checks and cannot be uploaded
« Reply #10 on: October 14, 2016, 10:12:57 PM »
Need more info, whats your php version?  what libraries do you have installed? mods? do you have the "Re-encode potentially dangerous image attachments"  setting on?

Re-encode is not enabled because we are preserving information and automatically modifying everything with degraded quality would be bad. I have attached screenshots of my forum mods installed, and my attachment settings. PHP version and Apache modules are below.

PHP Version 5.3.28

Installed modules:

core
http_core
mod_actions
mod_alias
mod_asis
mod_auth_basic
mod_auth_digest
mod_authn_alias
mod_authn_anon
mod_authn_dbm
mod_authn_default
mod_authn_file
mod_authz_dbm
mod_authz_default
mod_authz_groupfile
mod_authz_host
mod_authz_owner
mod_authz_user
mod_autoindex
mod_cache
mod_cern_meta
mod_cgi
mod_charset_lite
mod_dav
mod_dav_fs
mod_deflate
mod_dir
mod_disk_cache
mod_dumpio
mod_env
mod_expires
mod_file_cache
mod_filter
mod_headers
mod_imagemap
mod_include
mod_info
mod_log_config
mod_logio
mod_mime
mod_mime_magic
mod_negotiation
mod_php5
mod_reqtimeout
mod_rewrite
mod_setenvif
mod_so
mod_speling
mod_ssl
mod_status
mod_unique_id
mod_userdir
mod_usertrack
mod_version
mod_vhost_alias
prefork


Offline badon

  • Jr. Member
  • **
  • Posts: 185
Re: Your attachment has failed security checks and cannot be uploaded
« Reply #11 on: October 27, 2016, 05:12:09 AM »
More files that allegedly fail security checks even though security checks are disabled.

Offline badon

  • Jr. Member
  • **
  • Posts: 185
Re: Your attachment has failed security checks and cannot be uploaded
« Reply #12 on: December 13, 2016, 08:05:22 PM »
We're collecting files that trigger the bug here:

https://forum.coincompendium.com/index.php?topic=5750.0

Offline badon

  • Jr. Member
  • **
  • Posts: 185
Re: Your attachment has failed security checks and cannot be uploaded
« Reply #13 on: January 11, 2017, 04:05:29 AM »
Any news about this bug?

Offline badon

  • Jr. Member
  • **
  • Posts: 185
Re: Your attachment has failed security checks and cannot be uploaded
« Reply #14 on: February 16, 2017, 07:27:28 PM »
I just discovered a workaround for this bug that also isolates it. If post text is removed, the files will attach to the draft message successfully. Then add text, and post. I have been testing this workaround for about a week, and I have not encountered the bug. I just tested the workaround on a known problem-file, and it posted successfully.

Offline badon

  • Jr. Member
  • **
  • Posts: 185
Re: Your attachment has failed security checks and cannot be uploaded
« Reply #15 on: February 16, 2017, 07:43:22 PM »
I also just discovered that when attaching multiple files, sometimes adding the text for the "final save" will trigger the bug. Then, when going back, the files will be a mess with duplicates and some of them unchecked. I check all of them, save WITHOUT TEXT, and only a few are still unchecked. Check those, save WITHOUT TEXT, and now all of the attachments are checked. Add text, save, and it works.

There is obvious something wrong in both the handling of the file attachments, and some bizarre interaction between the attachments and the post text.

Offline badon

  • Jr. Member
  • **
  • Posts: 185
Re: Your attachment has failed security checks and cannot be uploaded
« Reply #16 on: February 16, 2017, 07:45:40 PM »
I just noticed SMF is somehow duplicating files. Some of them are missing, and some of them are duplicated. Weird.

Offline badon

  • Jr. Member
  • **
  • Posts: 185
Re: Your attachment has failed security checks and cannot be uploaded
« Reply #17 on: February 16, 2017, 08:14:47 PM »
A series of screenshots that shows the addition of post text triggers the bug, even though the files are already attached successfully when the post is made without post text (with an error message).

Offline badon

  • Jr. Member
  • **
  • Posts: 185
Re: Your attachment has failed security checks and cannot be uploaded
« Reply #18 on: February 16, 2017, 08:22:36 PM »
I just went back and unchecked the last file and saved the post, then all the files disappeared. Did they time-out and get deleted?

Also, could this bug be related to some kind of bizarre permissions problem? I'm running this on FreeBSD, and we don't nortmally have any problems with uploading attachments. We have an SMF 1.x forum on the same server that doesn't have any problems.

I'm going to try reattaching the files, and then unchecking the last one to see what happens. I'm going to uncheck them one at a time and save the post with text to identify which file is the problem file in combination with that particular post text.

Offline Illori

  • Project Manager
  • SMF Master
  • *
  • Posts: 47,159
Re: Your attachment has failed security checks and cannot be uploaded
« Reply #19 on: February 17, 2017, 05:09:33 AM »
are you using a drafts mod? if so uninstall it and see if you can still duplicate the issue.