Oh no! Where's the JavaScript?
Your Web browser does not have JavaScript enabled or does not support JavaScript. Please enable JavaScript on your Web browser to properly view this Web site, or upgrade to a Web browser that does support JavaScript.
Sign In
Not a member yet? Click here to register.
Forgot Password?
Navigation
  1. Home
  2. Discussion Forum
  3. PHPFusion 9 Support
  4. Suspected Bugs and Errors - 9
  5. Attachment type not allowed ...

Attachment type not allowed ...

Last updated on 10 years ago
Track threadPrint
J
janmolVeteran Member
Posted 11 years ago
#1

0

Tried to attach a simple jpg-file but got this error message in this site ... :(
F
FalkSuper Admin
Posted 11 years ago
#2

0

Double check so the real file format match the list in your settings. ( Forum Settings : Allowed file types: )
J
janmolVeteran Member
Posted 11 years ago
#3

0

It was HERE I experienced this - not on my testsite :)
F
FalkSuper Admin
Posted 11 years ago
#4

0

You did post in the Beta 9 forum, thread moved. ( Thread moved )
But answer remains the same. it is probably not a matching format, I see many images upload all the time.
Iif you want you can mail me the image and I can double check it.
J
janmolVeteran Member
Posted 11 years ago
#5

0

OK - no big deal :)
C
CraigFusioneer
Posted 11 years ago
#6

0

It's coz mimetypes is broken and we have known that since it was introduced in 7.02.07 there is lots of threads about it. Use search! lol

[LOCKED]
S
SnakeEyeJunior Member
Posted 10 years ago
#7

0

Ok what are we supposed to do to fix this? I am having the same problem with my install of 7.02 I am absolutely positive that it is an allowed file type ( a simple .jpg file) that I am trying to upload in our forums. The same one I will try to attach here but it tells me the same thing in these forums. Attachment type not allowed. I checked includes/mimetypes_include.php and it shows the file type for .jpg and .jpeg but it still will not let me upload the file.
If it aint broke...Don't fix it!
C
ChanSuper Admin
Posted 10 years ago
#8

0

To fix it, you have to fix the image maybe.. try to do this.. open photoshop, resave file to either png or jpg format. In 9.00 we can disable mimecheck header. Not possible before 7.06.

We have encountered hacker uploaded an malicious image containing xss codes inside the image and this exploit was related to IE image flaws back in 06'-07', so our devs introduced the mimecheck to prevent upload of unwanted files because either:
1. filetype is corrupt, and browser filetype responded failed to match our large mimecheck allowed types (we have a big list)
2. filename is not correct
3. file image has codes that can executed offsite. This is xss vulnerabilities and therefore the mimecheck was introduced to prevent that.
4. a 1:1 photoshopped file (uncompressed) could result this. a window bitmap paint image save could also result this. Almost everything happen with .jpg files format. Go for .png.
S
SnakeEyeJunior Member
Posted 10 years ago
#9

0

You are right. I don't know what it is with the particular image that I try to upload but when I upload a .jpg image that I created with Adobe Fireworks that I saved as a jpg file, it let me upload that image. When I try to upload a jpg file that was a screenshot that was created by my game I play,it won't let me do it even though the game saves the file as a jpg image. I will have to open those files and resave them as a jpg file and see what happens. Thanks for your help.
Edited by N/A on 25-10-2014 13:20, 10 years ago
C
ChanSuper Admin
Posted 10 years ago
#10

0

Thank you. Assumed resolved.
D
douwe_yntemaSenior Member
Posted 10 years ago
#11

0

S
SnakeEyeJunior Member
Posted 10 years ago
#12

0

Quote

Thank you. Assumed resolved.
- by hien


Yes this issue is resolved. Even though the fix that douwe_yntema posts above will work, the fix he points to is dangerous and I would not recommend it. I am informing all of our users that they will need to resave their images from screenshots that their game creates using a good image editor ( I use Adobe Firewoks) which saves the file in a true .jpg format.
J
Jimik85Newbie
Posted 10 years ago
#13

0

I had same problem before 15 minutes, when one of my users wanted to change avatar. I think, here is bad regex pattern in function verify_image
Code Download source
// Scan image files for malicious code

function verify_image($file) {

   $txt = file_get_contents($file);

   $image_safe = true;

//   if (preg_match('#<?php#i', $txt)) { $image_safe = false; } // this line has BAD regex, cause < and ? is special symbols for regexes this condition is true if u have just $txt = ".....php...." not just for "....<?php....."

   if (preg_match('#\<\?php#i', $txt)) { $image_safe = false; } // this is better and function for me

   elseif (preg_match('#&(quot|lt|gt|nbsp|<?php);#i', $txt)) { $image_safe = false; }

   elseif (preg_match("#&\#x([0-9a-f]+);#i", $txt)) { $image_safe = false; }

   elseif (preg_match('#&\#([0-9]+);#i', $txt)) { $image_safe = false; }

   elseif (preg_match("#([a-z]*)=([\\'\"]*)script:#iU", $txt)) { $image_safe = false; }

   elseif (preg_match("#([a-z]*)=([\\'\"]*)javascript:#iU", $txt)) { $image_safe = false; }

   elseif (preg_match("#([a-z]*)=([\'\"]*)vbscript:#iU", $txt)) { $image_safe = false; }

   elseif (preg_match("#(<[^>]+)style=([\\'\"]*).*expression\([^>]*>#iU", $txt)) { $image_safe = false; }

   elseif (preg_match("#(<[^>]+)style=([\\'\"]*).*behaviour\([^>]*>#iU", $txt)) { $image_safe = false; }

   elseif (preg_match("#</*(applet|link|style|script|iframe|frame|frameset)[^>]*>#i", $txt)) { $image_safe = false; }

   return $image_safe;

}
J
JoiNNNVeteran Member
Posted 10 years ago
#14

0

Indeed, thanks for looking into it and reporting, fixed in v9.
W
WanaboSenior Member
Posted 10 years ago
#15

0

Excuse me but the fix on github is only partial!!
Line 795: https://github.com/PHPFusion/PHPFusio...incore.php

Code Download source
   if (preg_match('#<\?php#i', $txt)) {

Should be:
Code Download source
   if (preg_match('#\<\?php#i', $txt)) {

Note the extra slash.

The special regular expression characters are: . \ + * ? [ ^ ] $ ( ) { } = ! < > | : -
So they should be escaped.

Great find btw Jimik85! :)
www.probemyip.com/probe-my-ip-80x15.png
 pHp-Fusion.Asia & pHp-Fusion.Fr & pHp-Fusion.Cn are available for a localized support community. Send PB for info.
J
JoiNNNVeteran Member
Posted 10 years ago
#16

0

That happens when you do things when you're tired. Thanks for reporting, FIXED.. for real now :D
W
WanaboSenior Member
Posted 10 years ago
#17

0

Can happen. :)
While you're at it fixing slashes, take a look at [Fix] password contains invalid characters!
www.probemyip.com/probe-my-ip-80x15.png
 pHp-Fusion.Asia & pHp-Fusion.Fr & pHp-Fusion.Cn are available for a localized support community. Send PB for info.
J
JoiNNNVeteran Member
Posted 10 years ago
#18

0

So that is just a locale typo, right?
W
WanaboSenior Member
Posted 10 years ago
#19

0

Correct, but a nasty one. If people use a \ (backslash) in their password they get the message: "Password is too short or contains invalid characters"
Due to the invalid character.

The regex seems ok though.
www.probemyip.com/probe-my-ip-80x15.png
 pHp-Fusion.Asia & pHp-Fusion.Fr & pHp-Fusion.Cn are available for a localized support community. Send PB for info.
J
JoiNNNVeteran Member
Posted 10 years ago
#20

0

Fixed that too Wanabo, thanks.
You can view all discussion threads in this forum.
You cannot start a new discussion thread in this forum.
You cannot reply in this discussion thread.
You cannot start on a poll in this forum.
You cannot upload attachments in this forum.
You can download attachments in this forum.
You cannot up or down-vote on the post in this discussion thread.
You cannot set up a bounty in this discussion thread.
Moderator: Support Team
Users who participated in discussion: Falk, janmol, Craig, Wanabo, Chan, SnakeEye, JoiNNN, douwe_yntema, Jimik85