Not logged in. · Lost password · Register
Forum: General Help and Support General Stuff RSS
Cannot upload PNG image due to iexssprotect
Avatar
theoveenker #1
Member since Sep 2017 · 9 posts
Group memberships: Members
Show profile · Link to this post
Subject: Cannot upload PNG image due to iexssprotect
Hi all,

I'm running Greebo and it all works fine. I have the default mime.conf installed.

I was trying to replace a screenshot (PNG) on my wiki and suddenly got the dreaded "The upload was blocked for possibly malicious content.".

It turned out I could upload any other PNG image, but not the one I needed. Even after recreating the screenshot it did not work. After some research I found out (using the strings tool) that the PNG file contained the sequence <A which made media_contentcheck() trigger a -3 error.

I guess I can get around it by turning off iexssprotect, but wouldn't it be better if media_contentcheck() first checked mime times to see if the file is text or a valid binary image instead of first assuming it is a text file?

What can I do to upload my image other than turning off iexssprotect?

Theo
Avatar
andi (Administrator) #2
User title: splitbrain
Member since May 2006 · 3500 posts · Location: Berlin Germany
Group memberships: Administrators, Members
Show profile · Link to this post
Quote by theoveenker on 2019-09-10, 09:16:
I guess I can get around it by turning off iexssprotect, but wouldn't it be better if media_contentcheck() first checked mime times to see if the file is text or a valid binary image instead of first assuming it is a text file?

No. The check is there because mimetypes cannot be trusted because IE is stupid. Read https://www.splitbrain.org/blog/2007-02/12-internet_explor… for background info.

It might be worth to reevaluate the issue in 2019. I believe content type sniffing can be disabled in more modern browsers via headers so we might be able to get rid of this "feature".
Read this if you don't get any useful answers.
Lies dies wenn du keine hilfreichen Antworten bekommst.
Avatar
theoveenker #3
Member since Sep 2017 · 9 posts
Group memberships: Members
Show profile · Link to this post
Thanks. I got around it by temporarily switching off iexssprotect to do the upload, but I now understand that I probably need to check if IE can still display the resulting page.

O how nice it would be if MS just followed accepted standards for once or, if that would be a bride too far, just do the sane thing.
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Go to forum
Imprint
This board is powered by the Unclassified NewsBoard software, 20150713-dev, © 2003-2015 by Yves Goergen
Current time: 2019-11-18, 19:09:51 (UTC +01:00)