Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-10851

HTML files containing certain tags being rejected as possible attack vectors with "Check attachment file" set to "No"

    Details

      Description

      Even with "Check attachment files" set to No, html files (e.g. subsilver2/template/breadcrumbs.html) which contain the <table></table> tags will be rejected as attachments with the message "The upload was rejected because the uploaded file was identified as a possible attack vector."

      There may be other tags that will produce this, but all html files tested without those tags upload OK. EDIT - it is those tags listed in the config table in mime_triggers.

      EDIT - further discussion reveals that this is caused by the fix for this - http://tracker.phpbb.com/browse/PHPBB3-9764 such that when check_attachment_contents is set to No, $disallowed_content is overwritten with mime_triggers anyway.

      A workaround is to delete the tags not wanted as triggers from mime_triggers, purge the cache, and set Check attachment files to Yes in Attachment settings.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Marc Marc
                Reporter:
                stevemaury stevemaury
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: