1.1.19 avatar bug?

[Arantor]

Technically, it's not a 'legitimate Photoshop image', because all the stuff they cram into JPGs is completely non standard and specific to Adobe.

I doubt it will be fixed in 1.1.19 though, unless another patch happens before we release 2.1 since 1.1.19 will be end of life soon.

[MrPhil]

it's not a 'legitimate Photoshop image', [...] specific to Adobe.

Eh? Did you mean "legitimate JPEG image"?

Still, Adobe Photoshop is the worldwide Gold Standard for image processing ("photoshop" has even become a verb), so any image produced by standard Photoshop should be considered safe and acceptable for upload. That will probably mean a more sophisticated malware detection algorithm is needed, or (short of that) quarantine the image and notify the forum admin that the image is suspicious and needs to be examined, rather than simply rejecting it. Tell the member trying to upload the image that it has been quarantined and will appear once the admin has approved it.

[Kindred]

or you could properly configure photoshop to not include the crap in the header of the file...

[emanuele]

That will probably mean a more sophisticated malware detection algorithm is needed, or (short of that) quarantine the image and notify the forum admin that the image is suspicious and needs to be examined, rather than simply rejecting it. Tell the member trying to upload the image that it has been quarantined and will appear once the admin has approved it.

Even though this is an interesting idea, let's try to see what would happen in Real World^TM: a user uploads an images that *looks* suspicious to SMF, in your idea the image is uploaded for further inspection by the admin. The admin is not a very technical person, so the two possible reactions are: 1) delete the image without even trying to understand, 2) approve the image without even try to understand.
1 is the same as SMF.
2 opens the door to malware diffusion and (possible) server attacks.
Are you happy with that?

[Maceman]

or you could properly configure photoshop to not include the crap in the header of the file...

Are we supposed to tell this to everyone who tries to upload an avatar? I don't believe other forum software has this issue.

I believe the user's avatar was created with CS2, where my image created which was created with CS5 was still having this issue, with the default Photoshop settings. The detection algorithm should be adjusted to let Photoshop headers through (and any other legitimate headers).

Currently, this is like an anti-virus program that is detecting one of the most popular Windows programs as a virus. Metaphor.

[Arantor]

That's because most of the other forum software doesn't bother to actually *check* for anything nasty.

I repeat again: it is not part of the JPEG specification to have cellTextIsHtml in it. It is a proprietary extension added by Photoshop.

2.1 has already remedied this and in amidst all the other issues I had to fix in 1.1.19 and 2.0.6 I forgot to backport that as well. Yes, another thing I got wrong, I'm sorry, I'm only human.

EDIT: We checked again, it seems what I did in the 1.1.19 patch is grab the stronger test from 2.0 rather than the less secure one.

[emanuele]

I believe the user's avatar was created with CS2, where my image created which was created with CS5 was still having this issue, with the default Photoshop settings. The detection algorithm should be adjusted to let Photoshop headers through (and any other legitimate headers).

Out of curiosity and not that it matters (really, just my curiosity): did you buy Photoshop?

[ninaudp]

That's because most of the other forum software doesn't bother to actually *check* for anything nasty.
I repeat again: it is not part of the JPEG specification to have cellTextIsHtml in it. It is a proprietary extension added by Photoshop.
2.1 has already remedied this and in amidst all the other issues I had to fix in 1.1.19 and 2.0.6 I forgot to backport that as well. Yes, another thing I got wrong, I'm sorry, I'm only human.

EDIT: We checked again, it seems what I did in the 1.1.19 patch is grab the stronger test from 2.0 rather than the less secure one.

Howdy, after applying the 1.1.19 patch to my 1.1.18 smf, I too can no longer upload avatars.
I have even used an alternative image editing software - Picasa, rather than Photoshop.
Plus I have checked all the settings for the attachments and avatars in the admin console.
Could you tell us how to manually edit the the php file in 1.1.19 to use the less secure image security check?

Thank you!

[ninaudp]

I just found the link to the 1.1.19 security patch changes

Is that a current and complete list of all the code changes in the 1.1.19 patch?
If so, I will reverse the changes in each of the php files and that should get me back to 1.1.18 correct?
Thank you!

[Arantor]

Yes, but it will also leave you open to all the other vulnerabilities fixed in 1.1.19.

[ninaudp]

I am cool with that, I will revert to the old code to handle the avatar upload issue first - because that impacts our users the most. I am not sure the cost of the tighter 1.1.19 avatar security is worth the benefit. Knock on wood!

Then I will revert to 1.1.18 by making incremental changes and test to see if my Member Map becomes functional or not.
If none of the incremental un-patchings bring back my member map, I will go back to 1.1.19 (minus the 1.1.19 avatar security).

As a matter of fact I get the impression that 1.1.19 will be the very last patch set for the 1.0 code base - so if my forum is working great - I am not applying any more patches.

Perhaps in a few years, I will go to 2.0

Cheers, and thank you for such an awesome SMF! I really like it a lot and my forum members appreciate it too!

[Arantor]

Well, SMF 1.1 is going to fail sooner rather than later and you should be planning on upgrades now. PHP 5.5 will not function properly with SMF 1.1.x, PHP 5.6 is likely to break SMF 1.1.x (if 5.6 doesn't, 5.7 will, and it is totally impractical to even attempt a fix)

1.1.19 will likely be the last patch, yes, as every day we polish up 2.1, is another day closer to us killing 1.1 off.

I'm not being funny, though, your methodology of performing the changes is dangerous, and frankly we cannot provide any support for you if you choose to do this; unless you understand the actual consequences of the changes you're making, you should not be attempting them.

I could just tell you how to alter the 1.1.19 patch but the nature of the changes you're making suggests I shouldn't even do that.

[ninaudp]

Thank you for the extra information on SMF's compatibility with php versions.
This month, my host went to php 5.3 and all seems well with my forum.
I will ask my host what time-line they have for going to higher versions of php, in order to get a sense of how urgent moving to SMF 2.0 really is.

Thank you very much for all your help!

[Arantor]

Just FYI, PHP 5.3 itself is in maintenance only state now.

[Rigg]

I am shocked that Simple Machine's solution with this is to block anything "non-standard" and suddenly make the SMF software non-compatible with Adobe's software for avatars/attachments.

Writing it off and blaming the end user (for leaving the default export settings turned on for Photoshop) or by pointing fingers at Adobe (for using nonstandard markup which is nonetheless extremely prevalent in images online) just seems like you don't really care about your users and can't be bothered to keep the usability of your software intact.  Now forum owners need to explain this to their own users, that Simple Machines decided to release an update that knowingly does not allow for Photoshop use, which is awkward at best.  You'll notice Facebook, Twitter, Flickr, Wordpress, and any other service that people are used to using do not prevent files created by Photoshop.  Regardless of how secure or insecure this is for these other services, writing your security patches so broadly that they can block both nefarious AND legitimately clean attachments isn't the most responsible way of going about this. 

Laying the blame at Adobe's doorstep rather than actually addressing the problem you've created with broad blanket security checks is the easy way out, and it's disappointing to see that nothing has been done by Simple Machines since the release of 1.1.19 to address this matter with any sort of update.  Is there any plan to update this?  Or does Simple Machines not care whether this version doesn't work as intended anymore? 

I have to admit it's discouraging to see this lack of care with this update.  I see you mentioned that there was a mistake along the way with the update and that you're only human.... but it's been 45 days since then and it seems no one has gotten around to remedying this.

[Arantor]

Except I'm trying to spend my time on the *current* version rather than a *7 year old version that will be discontinued soon*. If we do a 1.1.20 I'll update it then, but pushing out a patch is not a simple measure (it takes several people several days to make happen because of the way we build patches for security reasons), but honestly it's comments like this that make me wonder why I bother spending my free time working on something when all it's going to do is attract criticism.

The update did not 'knowingly' break avatars. I just happened to use the more strict line from 2.0 by accident.

The only reason we don't just drop 1.1.x right now is because it would be unfair to do it with no notice, but as soon as 2.1 stabilises, all 1.1 official support will end anyway. But 1.1 is going to fail in the future as PHP changes what is supported (like the mysql_query and mysql_fetch_assoc functions being deprecated in 5.5, which cannot be fixed in a security patch because every single possible mod will also need to be fixed as well, but solutions already exist for 2.0 series which has been stable for 2 years and realistically you should already be on that anyway)

[lurkalot]

What happens if the images are saved in Photoshop using the "Save for web" option ? which to be honest they are supposed to be using for this kind of stuff.  That normally strips out the EXIF data when you save the image, plus you can optimise them for file size, and image size at the same time.   Do the images upload when using this method?

[crash56]

Except I'm trying to spend my time on the *current* version rather than a *7 year old version that will be discontinued soon*. If we do a 1.1.20 I'll update it then, but pushing out a patch is not a simple measure (it takes several people several days to make happen because of the way we build patches for security reasons), but honestly it's comments like this that make me wonder why I bother spending my free time working on something when all it's going to do is attract criticism.

   I appreciate everyone's hard work on SMF, especially on patching the 1.1.x series.  I'm finally changing over to 2.0.6 because of the PHP 5.5 issue, but it has been a relief to be able to continue using 1.1.x for this long after 2.0 came out and know that it's secure. 

[Rigg]

Thanks for the explanation on this, that's too bad that it's such a complicated process to release a new patch.  I get that this wasn't intentional, just that after release you soon realized that it was broken and decided to leave it as-is.  Surprised that it was a priority to update 1.1 for security reasons, but not a priority to update 1.1 to fix features broken by the last update.  Oh well, glad that this issue doesn't carry over into current/future versions at least.

All the best with the new 2.1 version, we've been dragging our feet with updating from 1.1 due to having to rewrite or replace our themes and mods, though we'll have to do it at some point soon!