Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-10851

HTML files containing certain tags being rejected as possible attack vectors with "Check attachment file" set to "No"

    XMLWordPrintable

Details

    Description

      Even with "Check attachment files" set to No, html files (e.g. subsilver2/template/breadcrumbs.html) which contain the <table></table> tags will be rejected as attachments with the message "The upload was rejected because the uploaded file was identified as a possible attack vector."

      There may be other tags that will produce this, but all html files tested without those tags upload OK. EDIT - it is those tags listed in the config table in mime_triggers.

      EDIT - further discussion reveals that this is caused by the fix for this - http://tracker.phpbb.com/browse/PHPBB3-9764 such that when check_attachment_contents is set to No, $disallowed_content is overwritten with mime_triggers anyway.

      A workaround is to delete the tags not wanted as triggers from mime_triggers, purge the cache, and set Check attachment files to Yes in Attachment settings.

      Attachments

        Issue Links

          was caused by solution of

          Bug - A problem which impairs or prevents the functions of the product. PHPBB3-9764 Empty value for CONFIG_TABLE config_name= 'mime_triggers' causes functions_fileupload.php->fileupload->check_content() to be too restrictive

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Activity

            People

              Marc Marc
              stevemaury stevemaury
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: