SMF and images

[Sputnik53]

SMF, images and security. I still do not know why SMF allows users to set files with bad mimetypes (text/html) as signature, avatar or be able to post them with [img]-tags.

I made a little PHP-script that checks the mimetype of the image and checks if it's allowed (gif/jpeg/png). What would be the best place to implement my script into SMF? I intend to replace the bad files with an image. This needs to be done in posts, avatars and signatures, for all images on those elements. Please tell if you can think of more places where users can get their bad image displayed.

PS. If there's already a mod that does this please give me a link (I couldn't find one).

[Arantor]

First up, which version are you looking at?

Secondly, note that MIME types aren't always set correctly, especially on some shared hosts, which if it were to be enforced, SMF would quickly become somewhat useless.

Also, what kinds of avatars? Uploaded ones or external ones?

I would note that scanning an external host every single time is a Very Bad Idea. Even checking it on change isn't really guaranteeing anything.

[Sputnik53]

First up, which version are you looking at?

Secondly, note that MIME types aren't always set correctly, especially on some shared hosts, which if it were to be enforced, SMF would quickly become somewhat useless.

Also, what kinds of avatars? Uploaded ones or external ones?

I would note that scanning an external host every single time is a Very Bad Idea. Even checking it on change isn't really guaranteeing anything.

Version is 1.1.11 and I'm using PHP-function get_headers() to retrieve content-type. I'm concerned about external images.

If I can give you an example of what you can do with this:
User A visits two forums: SMF-powered and "bad forum software"-powered
User B puts "bad-forum-software's" logout link (which doesn't validate session like SMF) to his signature using [img]-tags in SMF-powered forums
Now everytime A sees B's signature he will get logged out from "bad-forum-software"-powered forums.

I'm trying to prevent this from happening. What I've seen so far is users putting links to polls from external sites to manipulate the scores.

[Arantor]

I see what you mean. I believe 2.0 does a slightly better job there since it can attempt to get image size too.

What you have here is a classic case of CSRF vulnerability in the other sites because they don't session check.

So when would you have it attempt to type-check, exactly?

[Sputnik53]

I see what you mean. I believe 2.0 does a slightly better job there since it can attempt to get image size too.

What you have here is a classic case of CSRF vulnerability in the other sites because they don't session check.

So when would you have it attempt to type-check, exactly?

Well, I was thinking either when the signature/avatar/message data is read from the database or before it's printed.

[Arantor]

Considering that it's read just before it's printed, that would imply adding it to the master img tag in the bbcode parser, which is already one of the largest (and by far the slowest) parts of SMF, and means it would resolve individually for each image, even calling the same image multiple times, which isn't what you want.

I think you'd have to consider doing it on post save/signature save/avatar save but even that is fraught with issues since there are so many places some of those can be called from, especially post save (including new post/new topic/modify post/inline modify)

[Sputnik53]

That's exactly my problem, this wouldn't also fix it for those who already have bad things in their profile or messages (isn't really a problem for me though).

Would this work if I modify post-data in some index-like (possibly main index.php?) file that's executed before writing to database?

[Arantor]

The places to modify code are Post.php, Profile.php and Profile.php respectively for when changes are made. As for members who already have this, you can as admin remove them.

I really wouldn't attempt to sanitise what's already there, because it will bring the forum grinding to a halt instantly.

[Sputnik53]

The places to modify code are Post.php, Profile.php and Profile.php respectively for when changes are made. As for members who already have this, you can as admin remove them.

I really wouldn't attempt to sanitise what's already there, because it will bring the forum grinding to a halt instantly.

Thanks and yeah I kinda realized that myself too. :p

[Arantor]

Might be worth having a read of our function database (see Support, in the top menu here) as to the functions applicable and where you'd be looking to modify the code.