Thread

Hi

I-ve got an error message when a member wants to upload a file (image or jpg)

“The file you are attempting to upload has invalid content for its MIME type.”

While it is perfectly working when logged as superadmin.

The rights access are “green” for members in the download pref.

Any idea were is the problem ?

Thanx.

Hélain Le Blanc.

Can you check whether xss filtering is applied to images- in ‘Admin- System Prefs- Security’ it’s ‘Apply XSS Filtering to uploaded files?’.

And- does it seem to be all images?  If you try it as superadmin w/one of the failing images, does it work for you?

Hi Robin and woooaa amazing how fast you answer !

Yes i’ve tried to upload the problem image from members in super admin and works perfectly.

But you have found the right solution !!

I had no idea what was this xss security pref… now I know !

And no more problems.

Thank you for your professional reaction.

EE rules !

Hee- you timed it well, which always helps.

Do keep in mind- turning off the image filter has implications for security.  It means none of the images uploaded are run through the cross site filter- so that means signatures, avatars- pretty much everything.  I personally will only turn it off if the only folks who have access to upload anything are staff.  And even then I prefer to leave it on, just as a check.

So that’s a long way of saying- if you want me to poke more on why those images trip the filter, let me know.  I doubt we can make them not trip it- unless 1.6.4 is being overzealous.  But we might can figure out why they are.

Make sense?  Of if all is well, say the word and I’ll close this one out.

We are having the same issue, Robin. Before upgrade, the appropriate people could upload images with no problem. After 1.6.4, people are getting this mime type error, and I totally don’t want to turn off filtering. I just want it to work like it was in 1.6.3!

drusoicy- if you login as non-superadmin, it denies the upload- right?  If you flip off the xss filter for images, it loads ok, even as non-superadmin?

Can you email me one of the images that borks it.  I’ll try some tests on my install as well.

Robin,

It looks like the EE email system doesn’t allow attachments, so I will just link you to a couple that my writers asked me to upload for them yesterday:

http://www.gearlive.com/blogimages/cubeart.jpg
http://www.gearlive.com/blogimages/HUVO.jpg

Same problem here Robin, and it only occurred after the upgrade to 1.6.4. It worked for super admins, not for members, and was fixed when I changed the XSS security pref with the same files.

I understand the XSS code has been tightened somewhat in the latest release.

But tightened to the point where normal, authorized users cannot upload files? I suppose I should ask, what is the purpose of the XSS security measure in the first place?

Yep- behavior does seem to have changed.  The crew is in taking a look at things- we’ll update when we hear back on what’s up.

As Robin said, we’re currently looking into the issue. We’ll let you know when we have a fix.

I know you said you’d update when there was a fix, but I just figured I’d throw in a nudge and ask for a status update. This issue is slowing down our publishing time, which in the long run, hurts the bottom line a bit 😉

Some false-matches on the files can be alleviated, and indeed internally I have that fix ready for the next build.  The issue at hand, though, is how much leniency can safely be given.  If it helps you have some perspective, the characters tripping it up are patterns such as:

<a blahblahblah >

And I think it’s safe to say that if you have selected that file uploads be sanitized against XSS attacks, that finding what appears to be a link inside one is suspect.  The problem is that certain browsers ::cough:: IE6 ::cough:: when they perceive HTML tags within an image, will just serve that image’s “contents” as HTML, ignoring the MIME type that the server sends.

So we’re taking an extremely cautious stance before adding further leniency.

This one triggered the “wrong MIME type” response, too:

http://idioom.eu/images/uploads/souvenirs/black_sand.jpg

*edit* a bit more info: After turning off XSS filtering I was able to upload the image as a non logged in user of the site. Now I am worried about security implications…