"Your attachment has failed security checks" ... again

Wombat78 · March 19, 2021, 05:03:46 AM

The attachment upload feature of SMF is driving me insane. I'm using SMF 2.0.17 and I'm regularly being contacted by users who are stopped in the security check and get the dreaded message: "Your attachment has failed security checks and cannot be uploaded. Please consult the forum administrator.".

From other threads I understand that exif data is identified as the culprit behind this message. However, one of my users tried to upload two images shot by the same camera two minutes apart. One fails to upload, the other uploads just fine. Uncompressed versions of the two images can be downloaded below:

This 3968 × 2232 px 2.02 MB image successfully uploads: https://img.onl/mbSBF9 [nofollow]

This 3968 × 2232 px 2.00 MB image fails to upload: https://img.onl/nmZT43 [nofollow]

What's wrong with the second picture?

I opened the image that doesn't upload in Photoshop 22.3.0 and saved it for web without doing any changes (File > Export > Save for Web (Legacy). Photoshop increased the file size to 3.67 MB, but now the photo upload just fine: https://img.onl/5fX25Q [nofollow]

My forum has the following attachment restrictions: 15 per post, maximum total size 14000KB, maximum individual size 10000KB.

There has to be a fix for this. How difficult can it be to upload a simple picture? I'm losing forum users because of this.

Wombat78 · March 19, 2021, 05:05:11 AM

Great, in this post both images were successfully uploaded.

GL700Wing · March 19, 2021, 05:19:01 AM

Quote from: Wombat78 on March 19, 2021, 05:05:11 AM
Great, in this post both images were successfully uploaded.

If you have the 'Administration Center » Attachments and Avatars » Attachment Settings » Perform extensive security checks on uploaded image attachments' option enabled you could try disabling it to see if that fixes the problem ...

Wombat78 · March 19, 2021, 05:42:06 AM

Yes, that setting is disabled. However, since the upload worked on this forum I realise that the issue is in my installation.

I went through my mods and uninstalled the mod "Automatic Attachment Rotation (and Resize) 5.9". That seems to do the trick. I also upgraded to v. 2.0.18, so hopefully it will run smooth from now.

GL700Wing · March 19, 2021, 05:49:37 AM

Quote from: Wombat78 on March 19, 2021, 05:42:06 AM
Yes, that setting is disabled. However, since the upload worked on this forum I realise that the issue is in my installation.

I went through my mods and uninstalled the mod "Automatic Attachment Rotation (and Resize) 5.9". That seems to do the trick. I also upgraded to v. 2.0.18, so hopefully it will run smooth from now.

That's interesting because I maintain that mod and I use it on all my SMF 2.0.17 forums without any issues (and no one else has reported any 'security check' issues with it) ...

Edit: I've just successfully uploaded your photos on three different forums I manage - two forums are using version 5.11 of the "Automatic Attachment Rotation (and Resize)" mod and one forum is using version 6.02 of the "Automatic Attachment Rotation (and Resize)" mod.

Wombat78 · March 19, 2021, 06:45:41 AM

Interesting. I have a bunch of photos from my users that have been rejected by the security check. I'll try to upload them again to see if they work without Automatic Attachment Rotation (and Resize) 5.9.

If that works I'll try to upload them again with a new install of your mod.

GL700Wing · March 19, 2021, 06:50:27 AM

Quote from: Wombat78 on March 19, 2021, 06:45:41 AM
Interesting. I have a bunch of photos from my users that have been rejected by the security check. I'll try to upload them again to see if they work without Automatic Attachment Rotation (and Resize) 5.9.

If that works I'll try to upload them again with a new install of your mod.

I'd recommend that you use the latest version (you'll need version 6.02 if your forum is using PHP 7.4).

Wombat78 · March 19, 2021, 07:22:39 AM

OK, then I'm one step closer to what's causing this. All images uploaded fine without Automatic Attachment Rotation (and Resize), but failed with Automatic Attachment Rotation (and Resize) 6.02.

However, I'm using a responsive theme called LikeIPB and this theme and your mod doesn't seem to be compatible.

GL700Wing · March 19, 2021, 07:51:17 AM

Quote from: Wombat78 on March 19, 2021, 07:22:39 AM
OK, then I'm one step closer to what's causing this. All images uploaded fine without Automatic Attachment Rotation (and Resize), but failed with Automatic Attachment Rotation (and Resize) 6.02.

However, I'm using a responsive theme called LikeIPB and this theme and your mod doesn't seem to be compatible.

Are you ensuring the mod is installing correctly - especially in the LikeIPB theme files?

I'm using this mod without any issues on three forums with a total of seven different themes - have you confirmed that the error occurs if you switch back to the default SMF theme?

Edit: Please post a list of the mods you have installed.

PS: My husband is a black powder shooter!

Wombat78 · March 19, 2021, 08:33:42 AM

I tested the same images again with the default theme activated and Automatic Attachment Rotation (and Resize) 6.02 installed. It was stopped in the security check, so it might not be a LikeIPB issue. I have the following mods installed:

Anti-spam by CleanTalk    2.31
Ohara YouTube Embed    1.2.11
reCAPTCHA for SMF    2.0.0
Google Analytics Code    1.5.1

shawnb61 · March 19, 2021, 12:49:58 PM

2.0.18 modified the security check logic - too many false positives prior, especially for large photos.

I suggest trying 2.0.18.

Wombat78 · March 19, 2021, 01:01:46 PM

Yes, I have done that (mentioned in reply #3). It doesn't seem to have any effect in this particular issue though.

shawnb61 · March 19, 2021, 01:35:42 PM

In 2.0.18, even with the extensive security checks off, it still looks for clues for inline php & flash. You could try disabling that check. Look ~line 282 in Subs-Graphics.php, & ensure it never returns false.

If I had a photography site with lots of hi-resolution originals, that is what I would do.

It's all statistics. Large photos have enough random byte strings that sooner or later something looks suspicious and gets flagged. It can theoretically happen on an extremely unlucky tiny photo, too.

It's hard to share those photos for others to test, because many sites automatically re-encode them.

This is the chunk I would remove:

Code Select

		else
		{
			// Check for potential infection - focus on clues for inline php & flash.
			// Will result in significantly fewer false positives than the paranoid check.
			if (preg_match('~(\\<\\?php\s|(?-i)[CFZ]WS[\x01-\x0E])~i', $prev_chunk . $cur_chunk) === 1)
			{
				fclose($fp);
				return false;
			}
		}

News:

"Your attachment has failed security checks" ... again