Unable to attach .psd

MLM · November 30, 2011, 06:02:24 PM

so yeah... old bug but i never reported: http://www.simplemachines.org/community/index.php?topic=433206

SMF 2.0.1 currently but it has been happening in the rc+

Angelina Belle · December 01, 2011, 10:40:48 AM

Thanks for reporting this. Seems the problem is the XML in the file.
Writing a validator that can tell the difference between a GOOD image file with XML in it and a DANGEROUS file with XML in it could be a bit tricky.
Does zipping the file improve things at all?

MLM · December 01, 2011, 04:12:55 PM

Quote from: AngelinaBelle on December 01, 2011, 10:40:48 AM
Thanks for reporting this. Seems the problem is the XML in the file.
Writing a validator that can tell the difference between a GOOD image file with XML in it and a DANGEROUS file with XML in it could be a bit tricky.
Does zipping the file improve things at all?

yep, of course but sometimes you want to know what you are downloading / unzipping especially if its only one thing

Angelina Belle · December 02, 2011, 10:17:35 AM

That is one simple workaround, though, until we hear more about whether the devs can make the file validation smart enough to accept a psd file.

And it could potentially make graphics downloads faster, for packs of large PSD files.

MLM · December 02, 2011, 04:10:50 PM

Quote from: AngelinaBelle on December 02, 2011, 10:17:35 AM
That is one simple workaround, though, until we hear more about whether the devs can make the file validation smart enough to accept a psd file.

And it could potentially make graphics downloads faster, for packs of large PSD files.

I totally agree on zipping if there is more than one but I run into this problem when i sometimes want to add psd to topic on these official boards when I want to better explain my problem through psd or provide graphics.

Antechinus · December 02, 2011, 04:54:24 PM

Zipping is still going to result in faster uploads and downloads, even for a single psd. Psd's compress very well. There's no advantage in not having them zipped because they can't be opened in a browser anyway.

MLM · December 02, 2011, 04:57:20 PM

Quote from: Antechinus on December 02, 2011, 04:54:24 PM
Zipping is still going to result in faster uploads and downloads, even for a single psd. Psd's compress very well. There's no advantage in not having them zipped because they can't be opened in a browser anyway.

I agree but there is no reason why you shouldn't be able to and sometimes the files are small enough that it does not even matter.

Angelina Belle · December 05, 2011, 01:02:43 PM

I'm not sure whether to call this a bug of feature, MLM. I don't think it is a bug in the implementation of a desired feature.

Certainly, SMF is doing its job of rejecting attachments with XML content, as it has been designed to do. It could be a design failure (if the structure of a proper PSD file was never considered), or a pragmatic decision to implement a SIMPLE validation procedure that will provide an appropriate level of security. I wasn't involved in the discussions on implementing the attachment validation feature, so I can't know.

I get the idea that Antechinus might not be a big advocate of the feature you'd like to see, MLM. And I don't know what the security implications are of letting SMF accept files of type PSD with XML, if it would be necessary to check the files' XML for security issues (there was an IrfanView PSD exploit last year, for example).

I think it is worth advocating for the new feature, at least long enough to find out what it would take to allow the feature.
alternatively, you could
* Just zip them all.
* Work for a mod that allows "admin override" on files the SMF validator has rejected for attachment.

Illori · December 05, 2011, 01:07:26 PM

Quote from: AngelinaBelle on December 05, 2011, 01:02:43 PM
* Work for a mod that allows "admin override" on files the SMF validator has rejected for attachment.

and what would happen if you had your admin account hacked and there was a way to upload a script to hack the server with this type of mod in place?

Angelina Belle · December 05, 2011, 01:44:31 PM

It would certainly be one of those things to consider when writing or installing such a mod.
I wonder if we are now getting very far OT. We can leave discussion of the pros and cons of a mod to the mod's own topic, if such a topic is ever started.

emanuele · December 05, 2011, 04:36:41 PM

Quote from: AngelinaBelle on December 05, 2011, 01:02:43 PM
* Work for a mod that allows "admin override" on files the SMF validator has rejected for attachment.

Someone submitted it a while ago and it was reject (because it was introducing a potential security hole).

Probably there is in the tips and tricks board the instructions to obtain that result.

MLM · December 05, 2011, 04:46:27 PM

This isn't exactly affecting me since I usually have multiple to zip anyway but isn't there a way to check for just the legit xml compared to the potentially dangerous stuff?

I have tried to look for xml exploits and compare it to the psd but I am totally not savvy with xml and haven't really done anything in it. i assume that photoshop when saving adds the same xml in every time just depending on how you name it and layers maybe. Couldn't some regex be written to compare to?

Joshua Dickerson · December 14, 2011, 05:56:01 PM

Heh, you mean SMF 2.0.1 I guess.

MLM · December 14, 2011, 05:57:24 PM

Quote from: Joshua Dickerson on December 14, 2011, 05:56:01 PM
Heh, you mean SMF 2.0.1 I guess.

yep, yep sorry

Joshua Dickerson · December 14, 2011, 06:00:09 PM

At first, I was thinking how the hell did MLM get 2.1 and why would they post that they have it and then I realized the mistake.

News:

Unable to attach .psd