Uploaded image for project: 'phpBB'
  1. phpBB
  2. PHPBB-14431

Remote avatar uploading does not support https

XMLWordPrintable

      Hello

      If you want to upload this image as avatar https://jenkins.erwan-projects.fr/static/00f9e71c/images/headshot.png it failed:

      The file specified could not be found.

      Because in remote_upload() function, the host parameter of fsockopen is never appended with 'tls://' and port is always 80, if avatar is a https ressource; so remote upload works only if resource is also accessible by http://

      Even if there is, on web hosting, a redirect from http to https; it failes again:

      The upload was rejected because the uploaded file was identified as a possible attack vector

      because response looks like this:

      <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
      <html><head>
      <title>301 Moved Permanently</title>
      </head><body>
      <h1>Moved Permanently</h1>
      <p>The document has moved <a href="https://jenkins.erwan-projects.fr/static/00f9e71c/images/headshot.png">here</a>
      

      I suggest to detect if url is a https resource, and append the host parameter with 'tls://' (and change port) if needed.

      I think with let's encrypt, more and more websites will be accessible by HTTPS, this bug can be annoying.

            Marc Marc
            ErnadoO Erwan Nader
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: