1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

As Designed No Image-Check when importing

Discussion in 'Resolved Bug Reports' started by pldcanfly, Jan 16, 2014.

  1. pldcanfly

    pldcanfly Member

    As switchers from vb to xenforo we had an issue last night. Our Malware-Scanner reportet an included <?php tag in one of the imported avatars. We stored our avatars in our database before.

    While XenForo itself doesn't permit to upload this picture, it was imported. An option to check for invalid pictures would be good if checking while importing produces to much overhead.
     
  2. Mike

    Mike XenForo Developer Staff Member

    In this case, it was actually a valid image that was already in your system. We do full image checks when importing so it wouldn't be imported without appearing to be a valid image.

    However, we do have an extra check on any uploaded image for the "<?php" string, though this is mostly to attempt to (partially) workaround a security issue that comes from a server misconfiguration. This issue is moot on most servers; it's a specific Nginx configuration (generally well documented). We just provide an extra layer of protection against it, at the expense of a theoretical false positive.
     

Share This Page