Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-10851

HTML files containing certain tags being rejected as possible attack vectors with "Check attachment file" set to "No"

    Details

    • Type: Bug
    • Status: Unverified Fix
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.10
    • Fix Version/s: 3.0.13-RC1, 3.1.0-b3
    • Component/s: Posting
    • Labels:
      None

      Description

      Even with "Check attachment files" set to No, html files (e.g. subsilver2/template/breadcrumbs.html) which contain the <table></table> tags will be rejected as attachments with the message "The upload was rejected because the uploaded file was identified as a possible attack vector."

      There may be other tags that will produce this, but all html files tested without those tags upload OK. EDIT - it is those tags listed in the config table in mime_triggers.

      EDIT - further discussion reveals that this is caused by the fix for this - http://tracker.phpbb.com/browse/PHPBB3-9764 such that when check_attachment_contents is set to No, $disallowed_content is overwritten with mime_triggers anyway.

      A workaround is to delete the tags not wanted as triggers from mime_triggers, purge the cache, and set Check attachment files to Yes in Attachment settings.

        Issue Links

          Activity

          Hide
          BioLogIn BioLogIn added a comment -

          I think I have some kind of patch for this suggested here: https://www.phpbb.com/community/viewtopic.php?f=46&t=2225156#p13542091

          Show
          BioLogIn BioLogIn added a comment - I think I have some kind of patch for this suggested here: https://www.phpbb.com/community/viewtopic.php?f=46&t=2225156#p13542091
          Hide
          nickvergessen Joas Schilling added a comment -

          Marc is this fixed with teh new mimetype stuff?

          Show
          nickvergessen Joas Schilling added a comment - Marc is this fixed with teh new mimetype stuff?

            People

            • Assignee:
              Marc Marc
              Reporter:
              stevemaury stevemaury
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development