Image upload - very strange behavior: PHPFusion 9 Support

Home
Search

Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.

I have had some problems uploading images ... album thumb and in images in general.
I have just made a fresh install on my localhost, and this is what I experience:

1. Modifying an image - changing size: Upload is rejected with an error message, that image type is not correct
2. Trying to upload exactly the same image - but without any modifications - worked OK.

I'm using Corel PaintShop Pro version X9 to modify the images.

I tried to attach the images here ... but without any luck. Images were rejected. So here is links to the images:

1. Album thumb: album_icon.jpg REJECTED - http://wordit.dk/filer/album_icon.jpg
2. Same image edited a long time ago sienna_17.gif: OK - http://wordit.dk/filer/sienna_17.gif
3. Same image - same size but another filetype sienna_17.jpg: OK - http://wordit.dk/filer/sienna_17.jpg

It looks like it's the rezizing that create the problems ... and maybe the editing date ... I don't know ...

UPDATE: Tried to use exactly the same image to create a new album on a page made with version 7 ... no problems at all!!

Edited by janmol on 28-03-2017 11:07, 7 y

0 replies

Design is still not good ...

janmol attached the following file:

album_design1.jpg [No information available / 100 Downloads]

album_design2.jpg [No information available / 106 Downloads]

0 replies

Checked out the bootstrap-theme ... looks much better :D

0 replies

Falk

answered 28 Mar 2017 at 10:38 PM

Super Admin

https://github.com/PHPFusion/PHPFusion/issues/1528

The design in Nebula should be https://cloud.githubusercontent.com/assets/4078041/24337455/e2f5325c-12cf-11e7-958c-d27cd7f83167.PNG
Check thumb sizes / resize settings so they match box type

0 replies

Same problem concerning upload with avatar ... avatar image size 124 Kb ... file type jpg ... 250 x 321 pixels ... rejected in upload ... error: File type not allowed.

0 replies

Falk

answered 29 Mar 2017 at 09:27 AM

Super Admin

Maybe it is the error reporting that is off, Does the Avatar setting allow them sizes? usually it is like 150x150 max.
You will find it under Settings > User Management : Avatar size:

0 replies

Falk

answered 30 Mar 2017 at 11:32 AM

Super Admin

I need a re-connect on this one, also can you attach the file you tried here for us?

0 replies

Settings - user admin:
Avatar size is set to 500 x 500 (believe thats defaul)
Max filesize set to 150 Kb
Avatar image attached (200x248 px file size 100 Kb) -> Error uploading here as well ... what's happening???
Here is a link to this image:
http://wordit.dk/filer/jan_m.jpg

UPDATE: copied image, saved as GIF ... that worked

janmol attached the following file:

image1.gif [No information available / 101 Downloads]

0 replies

Falk

answered 31 Mar 2017 at 01:04 AM

Super Admin

The problem with your image is that it does not pass the safety check due to possible payload embedded. ( Trojan if you will ).
When I open the image you proivided by URL in an editor, this can be found.

Code Download source

<?xpacket begin="ï»¿" id="W5M0MpCehiHzreSzNTczkc9d"?>

I don´t know where it comes from but PHPFusion do not allow any payloads of any kind to be embedded in image uploads.
There are really no way around this one,

If our MIME check fail for some reason it can be disabled via the 9 Settings. But this image verify safety check is standard, payloads have nothing to do in images.
You need to make sure that images are clean. Many sites have been hacked using this method, that is why it is required.

To be extra specific, In order for our safety checks to be efficient to a wide range of possible attacks we need to search and reject all types of <? and eval(), since your image contain php code it is rejected by core , default.

Quote

I use Corel PaintShop Pro version X9 to modify the images.

See if you can turn off any ID or xml identification injections to these images.

Edited by N/A on 31-03-2017 03:04, 7 y

0 replies

Falk

answered 31 Mar 2017 at 03:00 AM

Super Admin

Chan will update the locale and add checks so it reports that the image is rejected instead of a general error.

Code Download source

$locale['error_secure_file'] = "The uploaded file has been rejected due to possibility of malicious payload.";

Quote

Design is still not good ...

Was patched, lastnight, https://github.com/PHPFusion/PHPFusion/commit/587d87b21958132e48e5dc8a37165d8f3ab9e7b7

0 replies

Well ... had a suspicion that this had something to do with the defender system ... but how do you detect this??

0 replies

Falk

answered 31 Mar 2017 at 10:12 AM

Super Admin

It is done from our side with includes/core_functions_include.php with function verify_image($file)
When it comes to programs idk really some inject for xml and other ID purposes, but it is indeed a bad thing for web security.

0 replies

OK ... good so far. But how do I detect potentially damaging information in the images before I try to to upload them?? Is there a scanning solution for this job? I have taken the image from a collection made with Picassa ... just tried that with another image ... edited it with Windows image editor and saved it. And it stil have something like the code you found in the first example:

Code Download source

*** Marker: APP1 (xFFE1) ***
  OFFSET: 0x0000788C
  Length          = 12720
  Identifier      = [http://ns.adobe.com/xap/1.0/]
    XMP = 
          |<?xpacket begin='&#65519;&#65467;&#65471;' id='W5M0MpCehiHzreSzNTczkc9d'?>
          |<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:xmp="http://ns.adobe.com/xap/1.0/"><xmp:CreatorTool>Windows Photo Editor 10.0.10011.16384</xmp:CreatorTool></rdf:Description></rdf:RDF></x:xmpmeta>

(in JPEGsnoop)

Seems to be metadata saved for editing purposes. Not harmful as far as I can see.

LATER: Tried to download ExifCleaner () and clean my image. That seemed to work. BUT ... it's rather complicated, if I have to clean all JPEG-images this way before I can use them ... isn't there en easier way to do it??

Edited by janmol on 31-03-2017 11:13, 7 y

0 replies

Well ... maybe another appoach to this problem is simply (!!) to remove EXIF-data in JPG-images before saving them on the server.
A handful of approaches to this method can be found here:

http://stackoverflow.com/questions/36...-using-php

;)

Edited by janmol on 31-03-2017 16:02, 7 y

0 replies

Falk

answered 1 Apr 2017 at 02:00 AM

Super Admin

Added it for consideration to the 9.x Roadmap. 9 does not differ from later 7 versions in this perspective as it is now.
I did read thru some of the suggestions on SO, Many advices are simply to deconstruction and rebuild the images with the help of GD, I can´t help thinking that it will cause a whole new set of issues instead. transparency in PNG, GIF?. It have always been a GD issue, adding black backgrounds on reconstruction, resize. how does it handle TIFF,BMP?, id reckon that it won´t handle it to well. Naturally we could add exceptions for JPG files.
However, for now it is better to leave it at that ( Possible solutions ),
If converting or even saving images to PNG / GIF works that sounds like a good "fix" to me.

0 replies

Category Forum

Content Administration - 9

Labels

None yet

Statistics

Views 0 views
Posts 14 posts
Votes 0 votes
Topic users 2 members

2 participants

Notifications

Track thread

You are not receiving notifications from this thread.

Image upload - very strange behavior

14 posts

PHPFusion

Resources

Community

Development