Ingmar you replied to me? You mean there were updates for “better handling”? I updated my forums some days ago! As you can always see what versions or builds i run with, from my sig.
This is happening on a core version install, but I might run into this problem when I upgrade my commercial version install to 1.6.4.
On http://idioom.eu/en/souvenirs/submit/ I am letting people send me an image via a freeform. I then review the entries and post them to the site if they are ok. Would I recognize an XSS-prepared image? Do they look like a normal image or would they appear broken?
As far as security is concerned (and XSS is obviously a big part of that) there is no difference between EE Core and the full version. Images sucessfully posted by you or one of your users would never appear broken: either EE lets you upload them, or not. As a Superadmin you are exempt from these checks anyway, and you can also turn off this behavior (although we do not recommend that). It all depends on the image. Meta data might be an issue, for example.
Yes, metas of pictures were the problem in my issue. And those again, where “wrong” because of the softaware and savingtype of images. That was only in forums tho, havent had any problems with uploading but my users dont upload nothing via SAEF.
As far as security is concerned (and XSS is obviously a big part of that) there is no difference between EE Core and the full version. Images sucessfully posted by you or one of your users would never appear broken: either EE lets you upload them, or not. As a Superadmin you are exempt from these checks anyway, and you can also turn off this behavior (although we do not recommend that). It all depends on the image. Meta data might be an issue, for example.
All images that appear on the site are reviewed by me. Would I be able to see that an image a user has sent to me via the form has been tampered with? Would it appear broken?
Some more info on the image: My user says that he tried uploading two versions of the image: the first was saved for web in Photoshop and the second just saved normally in Photoshop. Both triggerd the MIME type warning.
Sometimes the images will appear broken, and sometimes they will appear as normal images. Are you able to email me the images in question? Let me take a look and I’ll see what’s triggering them and see if we can come up with a solution for you here. If you email (derek.allard@ellislab.com) please include the url to this thread so I can keep things in context.
Thanks sir. I can immediately see what is triggering the false positive. Sorry for the inconvenience. We’re working on a way to reduce the number of false positive flagged, and if I come up with something that will work for you I’ll be sure to let you know. For now though, there is no way we can let this image through without crippling the security of EE. I’m sorry.
Just a “ditto” here on this issue. We’re running a production site at 1.6.3 and a dev site under 1.6.4. We SuperAdmins can upload anything under 1.6.4 but any other user group has about a 50/50 success rate with JPEG images processed either through PS or Fireworks.
The same users in the same Member Group on the production server running 1.6.3 don’t have any problems with the same images that failed on 1.6.4.
This is good to know so we don’t upgrade the production site to 1.6.4.
Well, congrats on the speaking engagement. Sounds like fun. I’m confident we got your issue, and I’ve had at least a half dozen independent verifications, so I’m going to go ahead and mark this thread as resolved for now, but if you find it didn’t fix things up for you, just start a related thread and we’ll reopen it right away for you.
