Author Topic: Posting Photos on CRPF  (Read 9334 times)

Offline NorthernElectric

  • Hero Member
  • *****
  • Posts: 526
Re: Posting Photos on CRPF
« Reply #30 on: May 12, 2015, 12:33:54 PM »
Since both of you completely lost me at the word "Meta", it won't help many of us understand what you're discussing.

Simply put, metadata is information embedded in the image file that is not part of the image itself.  Typical metadata will include information about the camera and it's settings used to take the photo.  It can also include the latitude and longtitude where the photo was taken if from a GPS-enabled device, copyright information, etc.  It can also contain html and/or php code (2 languages used to write web pages).  This, I believe, is the main reason for the security checks as some web software has vulnerabilities that will execute such embedded code.

Hackers can and have added malicious code into image files.  It's possible that some cameras and/or imaging software may put benign html into their metadata, and these are being rejected by the security checks.
« Last Edit: May 12, 2015, 12:39:49 PM by NorthernElectric »
Cliff

Offline unbeldi

  • Hero Member
  • *****
  • Posts: 5584
  • opus in senio
Re: Posting Photos on CRPF
« Reply #31 on: May 12, 2015, 01:02:20 PM »
Tried to post pictures re-sized to max length/with (the greatest side) to 1000PX 45 PX/inch.
Works, but is it permanent or just luck????

dsk
Only examination of the remaining meta information in the image after each image alteration can answer that.

One solution of course is to always strip meta data from images and the forum configuration software has such an option. But this has very detrimental effects on image types that require certain meta data, such as animated GIF images. The animation is encoded as meta data and the image would be broken, if removed.

Security is an issue always relative to the environment against which it is assessed. This is a very closed community, every one must register and be approved by an actual person to post and the trustworthiness of everyone here has never, afaik, been questioned. We are also not running rogue code, or untested third party forum extensions, so the environment is in every aspect very controlled.

Therefore, I would encourage to simply remove the "security" check code from execution.

The only danger in this appears that when some one grabs an image from some website out there and posts it on the forum. It could be infected with some crafted exploit, and someone could subsequently download it and experience problems on their computer.  I don't think I ever upload images from third party sites, not even eBay, without first rewriting them in one of my image editors. Ebay images appear safe to me, though, as eBay processes them internally with the ImageMagick API (if I recall correctly), and inserts their own meta data.


Offline NorthernElectric

  • Hero Member
  • *****
  • Posts: 526
Re: Posting Photos on CRPF
« Reply #32 on: May 12, 2015, 03:03:48 PM »
...I would encourage to simply remove the "security" check code from execution.

The only danger in this appears that when some one grabs an image from some website out there and posts it on the forum. It could be infected with some crafted exploit, and someone could subsequently download it and experience problems on their computer.  I don't think I ever upload images from third party sites, not even eBay, without first rewriting them in one of my image editors. Ebay images appear safe to me, though, as eBay processes them internally with the ImageMagick API (if I recall correctly), and inserts their own meta data.

Even if eBay sanitizes uploaded images, many sellers use externally hosted images, eg. auctiva, inkfrog, etc.  Do we extend our trust to any site that may contain an image linked to by an IMG tag on an eBay page?  As an alternative to turning off image security checks on this forum, has this (from SMF 2.0 Online Manual: Attachments and Avatars) been tried?

Cliff

Offline DavePEI

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 4002
  • Telephone Museum of Prince Edward Island
    • The Telephone Museum of Prince Edward Island
Re: Posting Photos on CRPF
« Reply #33 on: May 12, 2015, 03:14:12 PM »
I agree it might be worthwhile removing the security check for a trial period, perhaps re-encoding as a precaution. If that solves the problem, then maybe we can move on. The loss of animated GIFs wouldn't be a big deal for the majority of users.

Dave
« Last Edit: May 12, 2015, 03:16:33 PM by DavePEI »
The Telephone Museum of Prince Edward Island:
http://www.islandregister.com/phones/museum.html
Free Admission - Call (902) 651-2762 to arrange a visit!
C*NET 1-651-0001

Offline unbeldi

  • Hero Member
  • *****
  • Posts: 5584
  • opus in senio
Re: Posting Photos on CRPF
« Reply #34 on: May 12, 2015, 03:17:02 PM »
...I would encourage to simply remove the "security" check code from execution.

The only danger in this appears that when some one grabs an image from some website out there and posts it on the forum. It could be infected with some crafted exploit, and someone could subsequently download it and experience problems on their computer.  I don't think I ever upload images from third party sites, not even eBay, without first rewriting them in one of my image editors. Ebay images appear safe to me, though, as eBay processes them internally with the ImageMagick API (if I recall correctly), and inserts their own meta data.

Even if eBay sanitizes uploaded images, many sellers use externally hosted images, eg. auctiva, inkfrog, etc.  Do we extend our trust to any site that may contain an image linked to by an IMG tag on an eBay page?  As an alternative to turning off image security checks on this forum, has this (from SMF 2.0 Online Manual: Attachments and Avatars) been tried?

The option you are citing is in fact is the option I mentioned earlier, and no, it has not been tried. I don't actually encourage that either for the reason I stated.

Basically, the "security" check in SMF is very poor, IMHO, extremely basic. For software that is as frequently used as SMF, I would expect more sophistication. Lacking that, these "features" become bugs.


Offline stub

  • Hero Member
  • *****
  • Posts: 1429
  • AE Type 14 A
Re: Posting Photos on CRPF
« Reply #35 on: August 23, 2015, 07:04:58 PM »
 unbeldi,
            Tried to post pic today, that I have posted in the past, and I can't pass security check either. What's up.  stub
Kenneth Stubblefield        
  CRPF
   TCI

Offline unbeldi

  • Hero Member
  • *****
  • Posts: 5584
  • opus in senio
Re: Posting Photos on CRPF
« Reply #36 on: August 23, 2015, 08:24:52 PM »
unbeldi,
            Tried to post pic today, that I have posted in the past, and I can't pass security check either. What's up.  stub

I don't know.  The exact same unmodified image?
JPEG images can be tricky, thinking about it, because when decoded they can be different every time, because the lossy compression forces slight changes.  I have not investigated that. 

Offline stub

  • Hero Member
  • *****
  • Posts: 1429
  • AE Type 14 A
Re: Posting Photos on CRPF
« Reply #37 on: August 23, 2015, 09:05:57 PM »
 unbeldi,
             The pic I tried to post was the AE cradle in black before I ran it thru the bead blaster. stub
Kenneth Stubblefield        
  CRPF
   TCI

Offline andre_janew

  • Hero Member
  • *****
  • Posts: 1409
Re: Posting Photos on CRPF
« Reply #38 on: August 24, 2015, 04:04:49 PM »
JPEG images and small pictures work for me!

Offline andy1702

  • ****
  • Posts: 337
  • UK Telephone Restorer
    • Andys Shed
Re: Posting Photos on CRPF
« Reply #39 on: October 29, 2016, 02:15:55 PM »
OK guys, I'm still having the 'failed security checks' thing.

Being quite new here, I'm just wondering why a JPG image needs to go through any kind of security check? I've never known this on any forum before and I've been on (and even run) quite a few. If security is so tight you can't do anything, what's the point of having the forum in the first place? I'm not sure what software is being used here, but I'd suggest PHPBB. It allows you to post images of any size straight to it and even place them between different areas of text in your post.

I find having to resize images a real hassle and even when I've done that I still can't get them to upload. I'd say remove the security checks because they obviously don't work as they should.
Call me on C*net 0246 81 290 from the UK
or (+44) 246 81 290 from the rest of the world.

For telephone videos search Andys Shed on Youtube.

Offline Brinybay

  • Hero Member
  • *****
  • Posts: 4295
Re: Posting Photos on CRPF
« Reply #40 on: October 29, 2016, 03:25:20 PM »
OK guys, I'm still having the 'failed security checks' thing.

Being quite new here, I'm just wondering why a JPG image needs to go through any kind of security check? I've never known this on any forum before and I've been on (and even run) quite a few. If security is so tight you can't do anything, what's the point of having the forum in the first place? I'm not sure what software is being used here, but I'd suggest PHPBB. It allows you to post images of any size straight to it and even place them between different areas of text in your post.

I find having to resize images a real hassle and even when I've done that I still can't get them to upload. I'd say remove the security checks because they obviously don't work as they should.

What program are you using to resize them?  I use LView Pro, but even with Paint (which I never use) I didn't have much trouble figuring out how to resize them.  I usually resize my pics ("my pics" being pictures I've taken myself) to 1/3 of the original size for uploading.  In both programs you have the option to choose a percentage, and in my case I usually choose 33.33% of the original, depending on the pic.
The idea that a four-year degree is the only path to worthwhile knowledge is insane.
- Mike Rowe

Offline Pourme

  • Hero Member
  • *****
  • Posts: 1338
  • Benny
Re: Posting Photos on CRPF
« Reply #41 on: October 29, 2016, 08:46:27 PM »
I use the resizer built into windows. Rt click and choose edit, follow the prompts...easy
The Internet is a telephone system that's gotten uppity

Offline andy1702

  • ****
  • Posts: 337
  • UK Telephone Restorer
    • Andys Shed
Re: Posting Photos on CRPF
« Reply #42 on: October 30, 2016, 03:36:38 PM »
I don't run Windows on any of my computers any more. Everything here has been using various flavours of Linux for the last 5 or 6 years and I've never run across this problem with images on any forum before. I edited the images in question on a desktop running Linux Mint 17.1 and used the widely know open source GIMP software. Images were in landscape format and resized to 1000 pixels on the longest edge, which made them both around 250kb, so well within the limits the forum is supposed to accept.
Call me on C*net 0246 81 290 from the UK
or (+44) 246 81 290 from the rest of the world.

For telephone videos search Andys Shed on Youtube.

Offline unbeldi

  • Hero Member
  • *****
  • Posts: 5584
  • opus in senio
Re: Posting Photos on CRPF
« Reply #43 on: October 30, 2016, 03:45:27 PM »
The problem is actually well understood and is a bug (not officially, of course) in Simple Machines Forum.  The "security" check is so primitive that it flags any image that happens to have the right bit sequence to mach a list of "forbidden" words or tags that could be used in malicious embedded code.  Problem is that the tags are commonly used also in meta information that is harmless, and even beneficial, or even necessary.

I posted a short computer program here in another thread that can be used to identify those images, using the exact algorithm, the same code snippet, that the forum software uses.  It could easily be completely disabled.

===========================

EDIT:  The above linked program can also be found in this 3 page topic about this issue.

http://www.classicrotaryphones.com/forum/index.php?topic=14032.0
« Last Edit: October 30, 2016, 06:23:17 PM by TelePlay »

Offline unbeldi

  • Hero Member
  • *****
  • Posts: 5584
  • opus in senio
Re: Posting Photos on CRPF
« Reply #44 on: October 30, 2016, 04:13:11 PM »
So, based on what I said, the problem is not the size of the picture, within reason, but the data.  A resized image could well have more or fewer offending bit sequences.
What is important in resizing, is that the image data is actually resampled in the process, rather than just cropped or extracted in some fashion without alteration of the critical area.  And if it is the EXIF or other other meta information, it may well be always inserted with the software used.  I created a special menu shortcut in my finder app to clean an image from all meta information using a Unix program, exiftool.  But this also cleans out the image size meta information, so I always have to reset the DPI parameter to what it was before.