Problems posting images on SMF 2.06

[trlacey]

I really didn't *miss* anything A*rantor.  I'm sure it took the Chinese military 43 years to come up with a way around your ingenious solution by simply "adding a space".  I posted to help the original poster and the smf software developers.  That really is what this Forum is for, is it not?  All ****** slapping aside.

[Arantor]

Except you haven't helped anyone. You've neutered a security measure by rendering it useless.

(Hint: I used to be on the SMF development team. Maybe I have inside knowledge of why these things were chosen in the first place.)

[trlacey]

Well correct me if I'm wrong, but you can't preclude 4 letter words like html, eval and body in every 100k binary file that gets uploaded.  They will randomly turn up.  Especially if Photoshop, one of the most prolific software platforms, along with the exif standard, uses them in their meta data.  You're going to run into problems.  It's a no-brainer, really.  Probably needs a bit more due diligence by the smf software developers.  Just sayin'.

[Arantor]

Which is why it doesn't. It only performs those tests on images, which generally should not include those, and if found it can still reencode the image (i.e. stripping said potentially harmful content out). The only reason this is even actually necessary is because certain browsers have been known to sniff the file's content to try to determine what it is and have been known to find webpage content buried inside images and then try to execute such content.

As for cellTextIsHtml, the only real variation on the original code, that's a proprietary extension peculiar to Photoshop and not covered in any of the variations of the JPEG standards (not even EXIF covers that one). Which is why, to accommodate them, the previous version suggested by another former SMF developer (and, I'll note, is in 2.1) specifically excludes the use by Photoshop while still detecting illegitimate use, since < followed by a null character followed by html will still be treated as an HTML tag by most of the browsers (which is why the angle bracket is not included in the regex)

If you're going to argue, please be sure to have your facts straight first.

[trlacey]

eVal showed up *twice* in the first random image I uploaded.  It had nothing to do with a virus.

[trlacey]

And images are binary.

[Arantor]

Interesting, because in the hundreds and hundreds of images I've uploaded to my sites, I've never encountered it even once.

Also, yes, I'm well aware that images are binary. But even binary files can contain text data (technically, text files are binary too!), my point which you're too busy trolling to have taken on board is that non-image files are not subjected to the same tests because they're served a different way where the browser will not be executing the code without the user's express consent (unlike an image request)

[trlacey]

I can send you the image.  I don't make this stuff up.

[Arantor]

*shrug* Not my problem these days. I'm just saying that your 'I fixed it' suggestion has flaws and I explained to you the basis on which I made that determination and why it leaves it open to abuse.

If you're happy with the fix you have, fine. Just be aware that it isn't as secure as you seem to think it is, and those who call on others to have due diligence should probably have some themselves.

[trlacey]

I generally write my own security measures.  I don't rely on IIS, smf, or php.  It's why I wrote my own server.

[Arantor]

Because you never make mistakes, I assume.

If you don't trust SMF, why not write your own that's all super secure? If your own stuff is so great, why not share it and let everyone benefit?

[trlacey]

I'm not sure what this all has to do with "me."  We're talking about the smf code.

[Arantor]

We're talking about it because you suggested a 'fix' and called out the SMF team on not doing due diligence, followed by my pointing out the problems with your fix. Thing is, you go on about how awesome you are and how you don't trust anything, why not take that to the next level and roll your own forum as well as your own web server?

We're all humbled by your skills, even when you're wrong and can't accept it.

[margarett]

This is getting really close to a lock, now... The support issue ended a good while ago, we all understand both points of view, let's just drop it, shall we?

[mashby]

I have honored the respect that Arantor deserves and locked this topic.