1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hosted images broken since upgrade patch

Discussion in 'Troubleshooting and Problems' started by Mr Lucky, Sep 12, 2016.

  1. Mr Lucky

    Mr Lucky Well-Known Member

    Images are showing correctly on my test forum (before upgrade patch), however on my live forum (with patch) they show a broken image symbol.

    These are images that are hosted on my server.

    However the links are good because if I click on edit, they show up in the editor. They also work if I untick Proxy Image, however this is not an option as mentioned in the ACP: Proxying of images is especially important if you are running your site through SSL (HTTPS).
     
  2. Mike

    Mike XenForo Developer Staff Member

    What's the URL to the images?

    As part of the patch, redirects are no longer followed and this is the likely cause. Unfortunately, this is a very important part of the patch.
     
  3. Mr Lucky

    Mr Lucky Well-Known Member

    The images (at least the ones I know of that are broken) are at http://cafesaxophone.com/x-pic/..."



    I recently switched to SSL, so it is important that this works as mentioned in the ACP:

    Proxying of images is especially important if you are running your site through SSL (HTTPS).
     
  4. Mike

    Mike XenForo Developer Staff Member

    Yeah, those are redirecting from http to https so the failure is generally expected (unfortunately).

    It would be an option to replace http://cafesaxophone.com with https://cafesaxophone.com in existing messages and that would sort the common case.
     
  5. Mr Lucky

    Mr Lucky Well-Known Member

  6. Chris D

    Chris D XenForo Developer Staff Member

    This is basically what Mike said above. Notice the URL you posted:

    https://s14.postimg.org/ugd98aw0h/Photo_on_9_12_16_at_2_20_PM.jpg

    vs the URL you are redirected to:

    https://s14.postimg.io/ugd98aw0h/Photo_on_9_12_16_at_2_20_PM.jpg

    So if I post the first URL:

    [​IMG]

    We'll reject it because it performs a redirection, and a URL that redirects can leave you susceptible to the SSRF exploit.

    If I post the second URL:

    [​IMG]

    It will work fine.

    The solution is to identify broken images (the Image Proxy Log in the Admin CP may help with this) and use something such as the Post Content Find and Replace add-on to fix things, if necessary.
     
  7. Mr Lucky

    Mr Lucky Well-Known Member

    I'm trying to use that, but seems very complicated. Are you saying all images that were .org are now .io

    ????

    It was all working nicely before the upgrade patch.
     
  8. Chris D

    Chris D XenForo Developer Staff Member

    It was also a potential attack vector that, although not easy to exploit, if it ever was, that'd be far more inconvenient :)

    I've provided some assistance in that thread.

    Yes, exactly.
     
  9. Mr Lucky

    Mr Lucky Well-Known Member

  10. Pierce

    Pierce Active Member

    I assume trying to add code to check the curl response, and loop the process up to 5 times and if its still giving back 301's, reject, if it stops and validates as a correct url @ 200 download the image at the url found, is a bit heavy server side? or just really ugly?

    Or there is another vector of attack to that approach which I am not thinking of.

    What about XF2 has this been accounted for?
     
  11. Chris D

    Chris D XenForo Developer Staff Member

  12. Chris D

    Chris D XenForo Developer Staff Member

    We already have/had protection against redirect loops and requests that take too long.

    This particular situation is to prevent a potential SSRF (server side request forgery).

    Put simply, a publicly accessible URL if accessed by your server (such as via the image proxy system) could issue a 301 redirect to a local resource/service on the server. For example, if a redirect was issued to http://localhost:3306 and the server followed that, it could be a way to bypass the firewall and remotely access MySQL. This example is a bit extreme and unlikely, but you get the idea.

    This is why redirects are now blocked.
     
    Pierce likes this.
  13. Mr Lucky

    Mr Lucky Well-Known Member

    That one is fine, it was when replacing .org with .io that there was a problem.

    You implied all .org should be .io

    If it's not all of them, how do I know which ones to replace?

    I'm very confused now as it was all working fine with proxy Image ticked as advised, now it isn't and I'm not sure how to fix it. I can fix links to me own URL, but how do I identify all the links to external URLs that have now stopped working?
     
  14. Pierce

    Pierce Active Member

    @Chris D I understand the issue.

    I see in the source there's checks for local IPS ipv4 and ipv6.

    Instead of following the redirects blindly (which is what is happening when you send it off to Zend, and you have maxredirects @ 0 now), but query only for the headers only(the headers that create the 301).

    So the flow would be:

    Step1:

    query header for example.org/image.jpg

    which the header will tell you that it 301 directs to: example.org/redirect_image.jpg

    Step 2

    Query header information for example.org/redirect_image.jpg

    which continues to 301 redirect and you keep downloading the headers until you hit a 200(successful response) and then and only then download the image or you run out of loops(5 usually) or you find a localhost or any private ip adress and it fails for security reasons...
     
  15. Chris D

    Chris D XenForo Developer Staff Member

    That wasn't my intention. We were talking specifically about an image that was on a certain host postimg.org and their URL has now changed to postimg.io.

    If you use the post content add-on, you can change all postimg.org URLs to postimg.io.

    I honestly doubt there will be many other examples of broken images so as long as you resolve the most obvious issues (e.g. those hosted on your own domain, and this postimg.org URL change) there's unlikely to be many (if any) more.
     
  16. Mr Lucky

    Mr Lucky Well-Known Member

    Aha, I misunderstood, I though you meant change all .org to .io. I must admit that seemed a bit odd. :)


    https://xenforo.com/community/threads/hotspots-by-waindigo-deleted.54028/#post-576878

    OK, thanks I will do that.

    BTW, I spotted a broken image on xenforo.com, is this due to the same issue?

    https://xenforo.com/community/threads/hotspots-by-waindigo-deleted.54028/#post-576878
     
  17. Chris D

    Chris D XenForo Developer Staff Member

    Actually it is, yes. We'll look into that.
     
  18. Mr Lucky

    Mr Lucky Well-Known Member

    Happy to be of service :)
     

Share This Page