phpBB doesn't strip image metadata

About this bulletin board and the Pale Moon website

Moderators: FranklinDM, Lootyhoof

Post Reply
User avatar
John connor
Board Warrior
Board Warrior
Posts: 1292
Joined: 2015-01-21, 05:06
Location: From RLG fly heading 053 intercept 315 DVV look for the SAM

phpBB doesn't strip image metadata

Post by John connor » 2019-11-07, 08:57

Also, phpBB doesn't strip metadata from images by default. Look in the phpbb folder/plupload/plupload.php file line 269. Add this:

Code: Select all

'resize: {width: %d, height: %d, quality: 85,preserve_headers: false},',
Imagine if God created a creature that was bipedal, soft and cuddly, stood about 9 inches tall and sang. Then called him Gizmo.

Interested in a secure Linux environment? Check out Qubes. Wanna help secure your browsing? Check out the now free Sandboxie.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 26674
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: Own a Fitbit?

Post by Moonchild » 2019-11-07, 09:20

F22 Simpilot wrote:
2019-11-07, 08:57
Also, phpBB doesn't strip metadata from images by default. Look in the phpbb folder/plupload/plupload.php file line 269. Add this:

Code: Select all

'resize: {width: %d, height: %d, quality: 85,preserve_headers: false},',
No. If you don't want metadata published then you should strip it before uploading.
I'm not having the board re-encoding images at an arbitrary quality factor either. That's just bad form, touching what people upload like that.
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

User avatar
John connor
Board Warrior
Board Warrior
Posts: 1292
Joined: 2015-01-21, 05:06
Location: From RLG fly heading 053 intercept 315 DVV look for the SAM

Re: Own a Fitbit?

Post by John connor » 2019-11-07, 10:56

Then change the quality to 100. The main line here is the

Code: Select all

preserve_headers: false
It's a major security/privacy issue with metadata and many people may not know of this and willy nilly upload a smartphone pic with their GPS coordinates attached.

See here: https://www.phpbb.com/community/viewtop ... &t=2528176
Imagine if God created a creature that was bipedal, soft and cuddly, stood about 9 inches tall and sang. Then called him Gizmo.

Interested in a secure Linux environment? Check out Qubes. Wanna help secure your browsing? Check out the now free Sandboxie.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 26674
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: phpBB doesn't strip image metadata

Post by Moonchild » 2019-11-07, 14:27

F22 Simpilot wrote:
2019-11-07, 10:56
Then change the quality to 100.
No. It'd still be recoding the uploaded content; in addition, you'd run the risk of someone uploading a crafted image that will inflate something fierce when recoded to q=1.0, bypassing the normal upload size restrictions for uploads.

And I'm aware of the potential privacy issue with metadata (there is no security issue here, please don't lump the two together) but that is still up to the uploader to clear if they are concerned about it. Metadata is also used for more things than just GPS coordinates on smartphone-sourced pics, including important image data for e.g. print reproduction, color correction or copyright information, and I don't want to strip that either.
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

User avatar
Konrad
Fanatic
Fanatic
Posts: 120
Joined: 2018-11-17, 18:19

Re: Own a Fitbit?

Post by Konrad » 2019-11-07, 18:48

Moonchild wrote:
2019-11-07, 09:20
If you don't want metadata published then you should strip it before uploading.
I think it’s more than obvious even to unadvanced users like me.
And a website does not have to be a filter-of-all-faults.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 26674
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: phpBB doesn't strip image metadata

Post by Moonchild » 2019-11-07, 20:26

Anyway, thanks for drawing attention to this. Looks like phpBB has been stripping metadata unknowingly because of an undocumented update in one of the later phpBB 3.2 versions that would trigger a recode even if the original image didn't have to be recoded (size and resolution not exceeding max). That has now been fixed.
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

User avatar
John connor
Board Warrior
Board Warrior
Posts: 1292
Joined: 2015-01-21, 05:06
Location: From RLG fly heading 053 intercept 315 DVV look for the SAM

Re: phpBB doesn't strip image metadata

Post by John connor » 2019-11-08, 22:15

Where is that Info. so I can have a look at it.
Imagine if God created a creature that was bipedal, soft and cuddly, stood about 9 inches tall and sang. Then called him Gizmo.

Interested in a secure Linux environment? Check out Qubes. Wanna help secure your browsing? Check out the now free Sandboxie.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 26674
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: phpBB doesn't strip image metadata

Post by Moonchild » 2019-11-08, 22:22

Where do you think? In the very thread on the phpBB forum you linked to.
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

User avatar
John connor
Board Warrior
Board Warrior
Posts: 1292
Joined: 2015-01-21, 05:06
Location: From RLG fly heading 053 intercept 315 DVV look for the SAM

Re: phpBB doesn't strip image metadata

Post by John connor » 2019-11-08, 22:29

Odd, I don't recall reading that there. I'll go over it again. I tested with the upload of a photo from my phone to my own board and the metadata was intact. Using 3.2.8. I've since added that plupload code and that does strip the metadata.
Imagine if God created a creature that was bipedal, soft and cuddly, stood about 9 inches tall and sang. Then called him Gizmo.

Interested in a secure Linux environment? Check out Qubes. Wanna help secure your browsing? Check out the now free Sandboxie.

User avatar
John connor
Board Warrior
Board Warrior
Posts: 1292
Joined: 2015-01-21, 05:06
Location: From RLG fly heading 053 intercept 315 DVV look for the SAM

Re: Own a Fitbit?

Post by John connor » 2019-11-08, 22:31

Konrad wrote:
2019-11-07, 18:48
Moonchild wrote:
2019-11-07, 09:20
If you don't want metadata published then you should strip it before uploading.
I think it’s more than obvious even to unadvanced users like me.
And a website does not have to be a filter-of-all-faults.
Social media now strips metadata due to this issue. Can you imagine if they left it intact? Like web stalkers and shit?
Imagine if God created a creature that was bipedal, soft and cuddly, stood about 9 inches tall and sang. Then called him Gizmo.

Interested in a secure Linux environment? Check out Qubes. Wanna help secure your browsing? Check out the now free Sandboxie.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 26674
Joined: 2011-08-28, 17:27
Location: 58°2'16"N 14°58'31"E
Contact:

Re: phpBB doesn't strip image metadata

Post by Moonchild » 2019-11-09, 08:03

F22 Simpilot wrote:
2019-11-08, 22:31
Social media now strips metadata due to this issue.
Social media is used with direct sharing from mobile devices where stripping this data before upload is difficult; requirements are different there.
"There will be times when the position you advocate, no matter how well framed and supported, will not be accepted by the public simply because you are who you are." -- Merrill Rose
Image

Post Reply