1.1.19 avatar bug?

Maceman · October 30, 2013, 03:05:22 PM

Sources/Profile.php Operation #2 breaks uploading avatars:
http://custom.simplemachines.org/upgrades/index.php?action=upgrade;file=smf_patch_1.1.19_2.0.6.tar.gz;smf_version=1.1.18#sources_profile-php_2

Error: "Your attachment couldn't be saved. This might happen because it took too long to upload or the file is bigger than the server will allow."

Keeping the 1.1.18 code (from 1.1.11) allows avatars to be uploaded.

mashby · October 30, 2013, 03:13:00 PM

Finally, the quote in Mantis makes sense. That's not a bug, that's a feature. Operation #2 prevents images that contain code that shouldn't be there not be uploadable.

Maceman · October 30, 2013, 03:15:46 PM

It's a feature to not allow people to upload avatars? I have tested with a few different images, and I can't get anything to upload. This error was reported from a user of mine, so others cannot get it to work as well.

Kindred · October 30, 2013, 03:19:35 PM

Quote from: monster mashby on October 30, 2013, 03:13:00 PM
prevents images that contain code that shouldn't be there

in other words, the images that your users are trying to upload are either infected or appear to be infected because whoever made th eimage used something that put crap in the image header.

Maceman · October 30, 2013, 03:22:59 PM

Quote from: Kindred on October 30, 2013, 03:19:35 PM
Quote from: monster mashby on October 30, 2013, 03:13:00 PM
prevents images that contain code that shouldn't be there

in other words, the images that your users are trying to upload are either infected or appear to be infected because whoever made th eimage used something that put crap in the image header.

I tested with 3 images:
The image the user provided to me - FAILED
The avatar that I was using for my profile before - FAILED
An image that I 'Saved for Web' in Photoshop - FAILED

If you can't upload images that are created with Photoshop, then isn't this avatar system almost useless?

Kindred · October 30, 2013, 03:26:52 PM

no... it means that your copy of photoshop is adding crap to the file header, which the system detects as a possible infection vector.

Maceman · October 30, 2013, 03:29:38 PM

Quote from: Kindred on October 30, 2013, 03:26:52 PM
no... it means that your copy of photoshop is adding crap to the file header, which the system detects as a possible infection vector.

Then what program can people use that doesn't add a bad header? Photoshop has got to be one of the most common image editors, and if SMF avatars don't support that program, then there are going to be many people who can't upload avatars.

Sir Osis of Liver · October 30, 2013, 08:20:32 PM

I had a similar problem with a bmp avatar. It had been used by a member for several years in 1.1.11-1.1.18, but would not display or upload in 1.1.19. Converted it to jpg, and works fine.

Oldiesmann · October 31, 2013, 12:46:17 PM

Quote from: Maceman on October 30, 2013, 03:29:38 PM
Quote from: Kindred on October 30, 2013, 03:26:52 PM
no... it means that your copy of photoshop is adding crap to the file header, which the system detects as a possible infection vector.

Then what program can people use that doesn't add a bad header? Photoshop has got to be one of the most common image editors, and if SMF avatars don't support that program, then there are going to be many people who can't upload avatars.

Try one of the many PhotoShop alternatives, such as The Gimp or Paint .NET (not the same as your standard Windows "Paint" program).

Which would you prefer - being able to upload all images even with crap in the headers, or having a more secure forum?

margarett · October 31, 2013, 01:06:28 PM

Also, note that 2.0 does this verification for a long time. This was added to 1.1 branch in this latest release.

Maceman · October 31, 2013, 09:29:40 PM

There must be a way to differentiate good Photoshop headers from malicious headers. In the meantime, I would rather keep the unsecure code on my site, as I consider Photoshop support a must.

Arantor · October 31, 2013, 09:51:07 PM

Can you upload it here as an attachment please?

Maceman · November 01, 2013, 02:42:25 AM

Quote from: Arantor on October 31, 2013, 09:51:07 PM
Can you upload it here as an attachment please?

Attached is the user's avatar that he couldn't use.

Arantor · November 01, 2013, 11:16:41 AM

Well, then something else is weird because that works for me on both a stock 1.1.19 and 2.0.6 forum... (and I'm the one who wrote the patch)

Oldiesmann · November 01, 2013, 11:50:41 AM

That photo wasn't made by Photoshop though. If you open it in a text editor you see this:

Code Select

CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), default quality

Maceman · November 01, 2013, 12:35:04 PM

I think the forum here is changing it. I see Photoshop data, with some xml (which is probably causing the issues).

You can get the unaltered image here:
http://www.sendspace.com/file/c9a25d

Arantor · November 01, 2013, 12:37:02 PM

Um, where am I supposed to click on that site?

Maceman · November 01, 2013, 01:01:32 PM

Quote from: Arantor on November 01, 2013, 12:37:02 PM
Um, where am I supposed to click on that site?

"Click here to start download from sendspace"

Arantor · November 01, 2013, 01:12:30 PM

Considering there's all the other download buttons on there, it's hardly surprising.

I see what has happened, it was still flagged as suspicious by 2.0's attachment code but 2.0's attachment code resanitised the file so future downloads were safe. (Notice the way the one on this site is 11KB, vs the download from the other site being 43KB)

The change in 1.1.19 was taken directly from 2.0's code, 2.0 does block that attachment, exactly as it should.

Maceman · November 01, 2013, 02:42:39 PM

I understand why it is blocking it, but I consider it a bug for it to block a non-malicious image. Your system should be able to differentiate between legitimate Photoshop images, and images with malicious code. This at least should be considered for a future patch.

News:

1.1.19 avatar bug?