Your attachment has failed security checks and cannot be uploaded (SMF 2.0.14)

Started by Frankenstien, July 12, 2017, 10:52:54 AM

Previous topic - Next topic

Frankenstien

Hey all ... I'm new at this forum and am not a forum mod or admin ... however, because I hate doing things twice unnecessarily, I thought I'd search the Subject topic here and see what I could learn ... unfortunately, the latest thread to deal with this topic tends to employ forum s/w terminology and concepts I am unfamiliar with.

I am a member at 'forum.w116.org' and lost an elaborate technical post (and attachments - due to the attachments) on Monday, 10JUL17, because SMF 2.0.14 does not employ any sort of Auto-Save functionality ... a feature I have come to expect from most of the forums I participate in ... quite often I will take the precaution of capturing and saving a long post in a text editor (in case of being logged out, ect.), this time I did not ...

From what I read, the causes of the Subject error (in my particular case) are likely not worth me pursuing.

However, perhaps someone here can comment on why SMF has no Auto-Save functionality, and, would there be any way of recovering the textual content of my lost post in my Firefox 54.0.1 (64-bit) browser's cache?  I still have the error tab live but pushing the Back button returned me to a blank Reply template ... any help along these lines would be appreciated.

Thanks, FFF


Sir Osis of Liver

Unfortunately, there's no way to recover the post text.  There are several reasons why an attachment may be rejected, most likely cause is described in the topic you linked.  There is an admin option in attachment settings to 'Perform extensive security checks on uploaded image attachments' which is disabled by default.  If enabled, it can cause attachments to be blocked -

Selecting this option will enable very strict security checks on image attachments. Warning! These extensive checks can fail on valid images too. It is strongly recommended to only use this option together with image re-encoding, in order to have SMF try to resample the images which fail the security checks: if successful, they will be sanitized and uploaded. Otherwise, if image re-encoding is not enabled, all attachments failing checks will be rejected.
Ashes and diamonds, foe and friend,
 we were all equal in the end.

                                     - R. Waters

Arantor

Because when 2.0.0 finally came out in 2011, it wasn't actually a common feature across forum platforms, and versions 2.0.1 through 2.0.14 don't add new features, only bug fixes. The new version, 2.1, does have auto save, though 2.1 isn't finished yet - and there are multiple add-ons for 2.0 that provide it in the meantime.

I doubt there is any way to recover it from your cache at this point; if you had literally hit the back button at the time, it might have been possible to recover though Firefox has historically been pretty poor about that too.

Frankenstien

Thank you for the Replies ... I understand ... I'll upload the error screenshot anyways (in case it offers a clue as to whether the admin option in attachment settings to 'Perform extensive security checks on uploaded image attachments' has been enabled [contrary to the default setting] at hxxp:forum.w116.org [nonactive]) ... although ... otherwise ... you folks seem to have this issue all dialed in.

Regards, FFF

Frankenstien

Arantor ... I was going to add to my last that re: the loss of the textual content of my posting attempt, I did immediately click on the embedded 'Back' link in the error dialog page ... perhaps I should have tried using the Ff browser's 'Go backwards one page ... ' arrow instead?

FFF

Arantor

Yup, if you had used the browser back button, it might have been salvageable, but historically Firefox has generally taken the view that 'privacy' is more important than convenience about form submission data... there's no guarantees whatsoever where FF is concerned.

Frankenstien

Thanks Arantor ... I've pointed the hxxp:forum.w116.org [nonactive] Admins to this thread ... we'll see if, and then what they have to say about the forum Admin attachments option setting they are currently using.

FFF

landyvlad

This seems to be the most recent thread on the topic..

has there been any advance on this issue?

My members have been experiencing an increased number of these "failed security checks" errors recently.
"Put as much effort into your question as you'd expect someone to give in an answer"

Please do not PM, IM or Email me with questions on astrophysics or theology.  You will get better and faster responses by asking homeless people in the street. Thank you.

Be the person your dog thinks you are.

Frankenstien

No ... I gave up on all concerned / involved at hxxp:forum.w116.org [nonactive] long ago.  There was no follow-through by the admnistrators there on this issue that I raised.

FYI - my content thread there: hxxp:forum.w116.org/mechanicals/73-280sel-(116-025)-clutch-master-cylinder-r-r-unique-hose-fitting-top-front/new/?topicseen#new [nonactive]

landyvlad ... you may have more success with the folks here at simplemachines.org in t/s your current issues ...

shawnb61

I'm a photographer, & this drove me nuts...

This was addressed in 2.1.   If you're brave, you could apply the same fix in 2.0.

Issue:
https://github.com/SimpleMachines/SMF2.1/issues/3928

PR:
https://github.com/SimpleMachines/SMF2.1/pull/3961

I don't think there are plans to port this back to 2.0.x.

I believe the reason you are seeing more of them is simply that photos are getting bigger, and the odds of matching the suspect text in random-ish pixel data are increasing.
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

kfoster17

Quote from: shawnb61 on April 03, 2018, 06:29:44 AM
I believe the reason you are seeing more of them is simply that photos are getting bigger, and the odds of matching the suspect text in random-ish pixel data are increasing.

The users on my forum have always been required to resize pics - so they know better than to try big pics. So that's not the problem in my case at least.

Quote from: landyvlad on April 03, 2018, 01:49:43 AM
This seems to be the most recent thread on the topic..

has there been any advance on this issue?

My members have been experiencing an increased number of these "failed security checks" errors recently.

Same here. Starting about 2 weeks ago. I'm now getting several PMs a day with people unable to post pics. No changes to forum at all. Using 2.0.15.

Wonder if there was an update to iphones/androids camera app recently? It's affecting users that have both types of phones.

And also using various types of photo editing software to resize pics. I haven't been able to find a common scenario - it's all types of phones and software being used.


shawnb61

Have you tried the fix ID'd above?

Just take one of the pics that fails & do a simple A/B test.  If you need test pics, I have plenty.  The fix above works.
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

kfoster17

Quote from: shawnb61 on May 08, 2018, 12:58:00 AM
Have you tried the fix ID'd above?

Just take one of the pics that fails & do a simple A/B test.  If you need test pics, I have plenty.  The fix above works.

No - the text 'If you're brave, you could apply the same fix in 2.0.' kept me from trying it.

I do have 'perform extensive security checks' turned on and might try turning it off. I guess the 'Re-encode potentially dangerous image attachments' would be good enough.

LOL - Not sure though - this is pretty complicated and haven't decided if I want a secure forum with users complaining about not able to post pics or a less secure forum and posting pics easy. Hard decision since I don't know much about malicious pics. I've read numerous links above and am just as confused as when I started researching this.

shawnb61

A good start would be to turn off the extensive security checks.  You should see a dramatic improvement.

But you will still get plenty of false positives until applying the edit outlined in the PR - in addition to disabling the extensive checks.

Those security edits are quite old and outdated, and don't really apply anymore.  You should only use them if you have serious doubts about your host's security config.

Hope this helps,

Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

landyvlad

Quote from: shawnb61 on May 08, 2018, 01:31:09 AM
But you will still get plenty of false positives until applying the edit outlined in the PR - in addition to disabling the extensive checks.

I had a look at that link and can't see what to actually do ! :)

(as in what to delete/change/replace etc)

Little help?
"Put as much effort into your question as you'd expect someone to give in an answer"

Please do not PM, IM or Email me with questions on astrophysics or theology.  You will get better and faster responses by asking homeless people in the street. Thank you.

Be the person your dog thinks you are.

Aleksi "Lex" Kilpinen

Quote from: kfoster17 on May 08, 2018, 01:21:38 AM
I do have 'perform extensive security checks' turned on and might try turning it off. I guess the 'Re-encode potentially dangerous image attachments' would be good enough.
The extensive security checks are known to cause false positives.
Slava
Ukraini!


"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Advertisement: