image upload no filter?

YOLO

i can upload .html .php .txt, etc
test.php
test.html

luke

Well, this is concerning. @julian @psychobunny @baris

a_5mith

No it's not... It's a setting in the ACP.

luke

Oh well that's good then, crisis averted! I guess the devs have that enabled for better troubleshooting when helping people.

Still, shouldn't there be some sort of filetype restriction?

A Former User

@a_5mith said:

No it's not... It's a setting in the ACP.

Was just about to post this. You ninja!

a_5mith

@luke That would probably be a feature request more than anything. I'm not an expert on whether vulnerabilities would be open by uploading a specific file via the upload feature.

julian

I'll say it first -- I hate local uploads. It's really hard to do them right. This is why NodeBB supported only gravatars and imgur uploads up until fairly recently...

A Former User

@a_5mith, depending on the attack vector even an image file could be dangerous if containing some malicious bash script which could potentially be executed.

Just another reason an imgur auto-upload plugin is awesome - the image is passed through api straight to imgur, so on access it runs from their servers, not your own.

trevor

Can we do filtering for uploads to restrict/allow certain file extensions? We could use this format: jpg|gif|png|txt|pdf as allowed, and everything else is restricted. You'd have to explicitly add the extensions you want to allow in an input box in the ACP.

A Former User

@julian said:

I'll say it first -- I hate local uploads. It's really hard to do them right. This is why NodeBB supported only gravatars and imgur uploads up until fairly recently...

It's nearly impossible to have a completely secure platform with local uploads. Your aversion of them is wise, and well respected.

A Former User

@trevor Extension spoofing could still be an issue, or as I previously mentioned the inclusion of malicious bash scripting.

trevor

@Ted said:

@trevor Extension spoofing could still be an issue, or as I previously mentioned the inclusion of malicious bash scripting.

I was aware of this a while back, which is why I've disabled file uploads on my site until the team can get some further security discussions such as this one initiated to find the best solution to deal with these types of issues.

A Former User

@trevor Remote uploads only seems to be the best option. Though you miss out if a service goes down. To imgur's credit, it doesn't break for long on the rare occasion it does.

trevor

@Ted In my use case, the only reason I'd have them uploaded on the server is for manipulation - for a bit more quality, better upscaling and some other things.

DegJ

This is still working pretty well to upload basically any fileype. This on a git clone from last night.
Having "Allow users to upload regular files"(having no effect turning this on or off) unchecked and using the upload image from the imgur plugin as the uploader. It only gets uploaded to imgur if it's a .jpg file, all else gets uploaded locally.

Also, .png files gets uploaded locally as well, but afterwards the url isn't replaced, but it says (uploaded 100%) after the filename.
Above works the same here on this nodebb installation.

examples below:
output.log

baris

Just fixed a bunch of checks for local uploads in https://github.com/NodeBB/NodeBB/commit/61f7f0f8890f2fee404fb4fac77d627b4c184489. You shouldn't be able to upload locally now if the setting is turned off. As for png images not going to imgur I couldn't reproduce that.

DegJ

@baris
Was able to pinpoint why the pngs weren't uploading. Its because the filename was using scandinavian letters, ÅÄÖ in it. If I remove them it works.