Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-10851

HTML files containing certain tags being rejected as possible attack vectors with "Check attachment file" set to "No"

    Details

    • Type: Bug
    • Status: Unverified Fix
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.10
    • Fix Version/s: 3.0.13-RC1, 3.1.0-b3
    • Component/s: Posting
    • Labels:
      None

      Description

      Even with "Check attachment files" set to No, html files (e.g. subsilver2/template/breadcrumbs.html) which contain the <table></table> tags will be rejected as attachments with the message "The upload was rejected because the uploaded file was identified as a possible attack vector."

      There may be other tags that will produce this, but all html files tested without those tags upload OK. EDIT - it is those tags listed in the config table in mime_triggers.

      EDIT - further discussion reveals that this is caused by the fix for this - http://tracker.phpbb.com/browse/PHPBB3-9764 such that when check_attachment_contents is set to No, $disallowed_content is overwritten with mime_triggers anyway.

      A workaround is to delete the tags not wanted as triggers from mime_triggers, purge the cache, and set Check attachment files to Yes in Attachment settings.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Marc Marc
                Reporter:
                stevemaury stevemaury
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: