Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-14431

Remote avatar uploading does not support https

    XMLWordPrintable

    Details

      Description

      Hello

      If you want to upload this image as avatar https://jenkins.erwan-projects.fr/static/00f9e71c/images/headshot.png it failed:

      The file specified could not be found.

      Because in remote_upload() function, the host parameter of fsockopen is never appended with 'tls://' and port is always 80, if avatar is a https ressource; so remote upload works only if resource is also accessible by http://

      Even if there is, on web hosting, a redirect from http to https; it failes again:

      The upload was rejected because the uploaded file was identified as a possible attack vector

      because response looks like this:

      <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
      <html><head>
      <title>301 Moved Permanently</title>
      </head><body>
      <h1>Moved Permanently</h1>
      <p>The document has moved <a href="https://jenkins.erwan-projects.fr/static/00f9e71c/images/headshot.png">here</a>
      

      I suggest to detect if url is a https resource, and append the host parameter with 'tls://' (and change port) if needed.

      I think with let's encrypt, more and more websites will be accessible by HTTPS, this bug can be annoying.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Marc Marc
                Reporter:
                ErnadoO Erwan Nader
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: