News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Your attachment has failed security checks and cannot be uploaded.

Started by archiebald, June 29, 2011, 02:25:12 AM

Previous topic - Next topic

archiebald

I have read the threads on this.

This is causing me problems with some 15MB tiff files.
This is the relevant stuff;

       
  • I have a dedicated server where up to 200MB uploads are enabled. 
  • I have a closed membership so there are no security risks.
  • I don't want to enable re-encoding because I sometime needs animation attachments.
  • I need to have "check attachment's extension" enabled for other reason.
Two requests,

       
  • WHY can't there be an Admin option to turn off the security checking of images? I understand why the security checks are deemed necessary but I don't like being nannied.
  • Can someone please point out where the security checking code is so I can disable it manually.

Illori

admin -> attachments and avatars -> attachment settings do you have perform extensive security checks on uploaded image attachments checked?

archiebald

Quote from: Illori on June 29, 2011, 05:53:46 AM
admin -> attachments and avatars -> attachment settings do you have perform extensive security checks on uploaded image attachments checked?

No - this is the point.  I have the lowest security settings but they are not low enough. 

Actually I have found it now.  Sources\Subs-post.php I have disabled the section of code that does the checking.

It would be MUCH nicer if this were possible to disable from the admin panel, (with one of those dire warnings about NOT disabling it).  At least it would allow us to troubleshoot a little easier and those of us that really don't need it can disable it.


Wallydraigle

Can you be a little more specific about what you did to disable this?  This happens a lot when people try to attach images that have been through Photoshop, and have xml with links to other websites in the metadata.  I guess it looks like a cross-site attack to the board or something.

archiebald

Here you go....

You need to comment out or delete this entire block of code that is in Sources\Subs-post.php

I would be dubious about doing this except that my board is a closed membership by entry only.

//Commented out the following to prevent security checks on images.

// Security checks for images
// Do we have an image? If yes, we need to check it out!

/*  commented out 2011/06/29
if (isset($validImageTypes[$size[2]]))
{
if (!checkImageContents($attachmentOptions['destination'], !empty($modSettings['attachment_image_paranoid'])))
{
// It's bad. Last chance, maybe we can re-encode it?
if (empty($modSettings['attachment_image_reencode']) || (!reencodeImage($attachmentOptions['destination'], $size[2])))
{
// Nothing to do: not allowed or not successful re-encoding it.
require_once($sourcedir . '/ManageAttachments.php');
removeAttachments(array(
'id_attach' => $attachmentOptions['id']
));
$attachmentOptions['id'] = null;
$attachmentOptions['errors'][] = 'bad_attachment';

return false;
}
// Success! However, successes usually come for a price:
// we might get a new format for our image...
$old_format = $size[2];
$size = @getimagesize($attachmentOptions['destination']);
if (!(empty($size)) && ($size[2] != $old_format))
{
// Let's update the image information
// !!! This is becoming a mess: we keep coming back and update the database,
//  instead of getting it right the first time.
if (isset($validImageTypes[$size[2]]))
{
$attachmentOptions['mime_type'] = 'image/' . $validImageTypes[$size[2]];
$smcFunc['db_query']('', '
UPDATE {db_prefix}attachments
SET
mime_type = {string:mime_type}
WHERE id_attach = {int:id_attach}',
array(
'id_attach' => $attachmentOptions['id'],
'mime_type' => $attachmentOptions['mime_type'],
)
);
}
}
}
}
*/

Wallydraigle

Okay, thanks.  I tried something like that but didn't comment out enough of it.

Iomega0318

Awesome, thanks for this! I keep getting the error even though I should not be on legit images that I know are fine.. so unfortunately this is the only way I can upload images.. It sucks to have to disable it but when you have no choice.. :|

For anyone interested I have created a mod to enable/disable the checks using the above code..
UOFreeshards.net
UOFreeshards.net 2.1 Aplha Test Site
"I believe in Christianity as I believe in the sun...
not because I see it but because by it I see everything else."
C.S. Lewis

Heed what I say, for it shall be mentioned only once.

archiebald

Very interested in the mod, is it available on the SMF download section?

Iomega0318

Sorry for the very late reply lol, and no because it removes a security feature it can not be posted in the mod section. I am not home at the moment but if you or anyone is still interested I will post a link for it when I get home. This time I will turn notifications on so I know if someone replies :-)
UOFreeshards.net
UOFreeshards.net 2.1 Aplha Test Site
"I believe in Christianity as I believe in the sun...
not because I see it but because by it I see everything else."
C.S. Lewis

Heed what I say, for it shall be mentioned only once.


Greybrow

Sorry for digging in such an old topic, but it's the most relevant one.
I think I found what caused problems with Photoshop files.
In jpegs from Adobe you may find expression "cellTextIsHTMLbool" which I found  (thanks to: preg tester) is false positive "html" for preg_match in Subs-Graphics.php line 282
if (preg_match('~(iframe|html|eval|body|script\W|[CF]WS[\x01-\x0C])~i', $prev_chunk . $cur_chunk) === 1)

I didn't want to remove checking completely as suggested above, so I tweaked it a bit adding "<" and removing "eval" as it shouldn't work without "<script"
Here is the changed code:
if (preg_match('~(<iframe|<html|<body|<script\W|[CF]WS[\x01-\x0C])~i', $prev_chunk . $cur_chunk) === 1)


I've checked it on SMF 2.0.2 with before rejected files, and it works just fine (with no strict checking of course).
Hope it helps.

MrPhil

You could also try adding code to explicitly exclude cellTextIsHTMLbool as a "hit":

if (preg_match('~(iframe|html|eval|body|script\W|[CF]WS[\x01-\x0C])~i', $prev_chunk . $cur_chunk) === 1
    && !preg_match('~cellTextIsHTMLbool~', $prev_chunk . $cur_chunk)  )

The second test shouldn't be run unless the first test passes (matches iframe, html, etc.). Note that I'm assuming that you won't find forbidden text ('html' tag, etc.) and 'cellTextIsHTMLbool' in the same chunk of attachment file.

Greybrow

It's a good idea, but maybe using html/eval/body etc. as words instead of tags with "<" in the beginning is kind of overkill?
What about a situation, when someone adds tags to his pictures for example: bodyguard, evaluation, manuscript?

Gryzor

Well, this was so many months ago, and a known issue... won't SMF ever solve it?

I'll try it on my 2.0.4 installation tonight!

Arantor

It's been an issue ever since RC4 back in 2010.

Getting fixed? That's another matter entirely. It IS fixed in 2.1. It was fixed in 2.1 last year.

Gryzor

Ah yes, I remember discussing that. Now let's wait for it then, it's been so long :D

Arantor

I tried 2.1 recently, I have to say that my reaction was one of being vaguely underwhelmed :( (what there is, is well done, but there's not as much of it as I would like)

Gryzor

Well, on one hand it's a minor version update I would guess. OTOH, it's been so long in the making! :)

archiebald

Quote from: Arantor on February 22, 2013, 09:19:29 AM
It's been an issue ever since RC4 back in 2010.

Getting fixed? That's another matter entirely. It IS fixed in 2.1. It was fixed in 2.1 last year.

I don't see how it is fixed at all.  People are still reporting it as a problem and for me, every time I make an update to my forum, the same error keeps coming back again and I have to manually edit code to get back the functionality

It is clearly NOT fixed.

The proper fix for this would be a checkbox in the admin section that allows the forum admin to override these checks.

Yes, I know that leaves some security issue but surely that should be in the hands of the individual forum admin to assess.

In my particular case there is zero risk from bad images because we operate on a strict membership control.

Arantor

You're not running 2.1. It was fixed in the version after the one you're using.

archiebald

Sorry, I missed that your message was misleading.

"Fixed in 2.1 last year..."

Yet 2.1 is not released, even this forum is still running 2.0.4 so for me and all the other users, then it hasn't been fixed - not until 2.1 is released.

Any ideas when that will be?

Arantor

QuoteSorry, I missed that your message was misleading.

I take offence at that. It was not misleading in the slightest. The fact is, it was fixed in the 2.1 branch, last year. It is marked as fixed in the bug tracker here as such by the team. You misread my message, that's cool, just please don't insult me by telling me it was misleading when you misread it.

QuoteAny ideas when that will be?

When it's ready. You can get the alpha from Github should you want to. Until then, keep waiting. I would imagine a beta version will be later this year, probably no later than the 2-year anniversary of SMF 2.0 (June 2013), with a final release later in the year.

Gryzor

Archiebald, he means the 2.1 branch. But still, it's very annoying that it's still there in lower versions... can you share the code edits that you do?

archiebald

I know this is an incredibly old topic now but this problem still persists to this day.  I just changed my forum to a new dedicated server, then upgraded to the latest 2.0.11 and I STILL get the same issues.

Just to be clear, my images are NOT from photoshop, they are jpegs direct from a Canon DSLR.

I have turned on Re-encode in the Admin panel.

I get one of two results - either the error message, of a blank screen with this in the address bar.
http://xxxxxx/forum/index.php?action=post2;start=0;msg=7645;a3b897e8=2a99f4138cac04e7f32ba71b44590609;board=57

In my attachments folder I am seeing both the TMP file and the attachment file, but the board crashes and the message is no recorded.

Really frustrated right now as the previous hacks that used to work seem not to anymore.

Advertisement: