-
New Feature
-
Resolution: Fixed
-
Minor
-
3.2.9, 3.3.0
-
Plupload 2.3.6
Per this Ideas forum topic: https://www.phpbb.com/community/viewtopic.php?f=436&t=2528276
JPEG (and TIFF) images may contact Exif metadata that presents privacy or security concerns for board administrators, users and third parties. For example, image metadata can include a record of the Author's name, device or the GPS coordinates of where a photograph was taken.
By default, phpBB does not touch image metadata and it is preserved in full. Many users and board administrators are unaware of this information being preserved for images uploaded as attachments and available for any viewer of the image to inspect and potentially use for nefarious purposes.
phpBB uses the Plupload module to handle uploading of image attachments, but only when the maximum image dimensions are set to a value other than 0px x 0px. Plupload has an option to strip Exif metadata from uploaded JPEG images (preserve_headers: false).
I propose a new ACP configuration option to allow board administrators to specify whether the preserve_headers flag is used for Plupload and thereby control whether JPEG images retain Exif metadata. This option would only be effective when the maximum image dimensions for attachments are set to a value other than 0px x 0px (and thus Plupload is used). Otherwise, there is no way for phpBB to handle Exif natively.
This might also work to strip metadata from TIFF, but phpBB currently has issues handling TIFF images (reported elsewhere). Other image formats (eg PNG, GIF should not be affected as they do not typically carry sensitive metadata.