Page 1 of 1

phpBB doesn't strip image metadata

Posted: 2019-11-07, 08:57
by John connor
Also, phpBB doesn't strip metadata from images by default. Look in the phpbb folder/plupload/plupload.php file line 269. Add this:

Code: Select all

'resize: {width: %d, height: %d, quality: 85,preserve_headers: false},',

Re: Own a Fitbit?

Posted: 2019-11-07, 09:20
by Moonchild
F22 Simpilot wrote:
2019-11-07, 08:57
Also, phpBB doesn't strip metadata from images by default. Look in the phpbb folder/plupload/plupload.php file line 269. Add this:

Code: Select all

'resize: {width: %d, height: %d, quality: 85,preserve_headers: false},',
No. If you don't want metadata published then you should strip it before uploading.
I'm not having the board re-encoding images at an arbitrary quality factor either. That's just bad form, touching what people upload like that.

Re: Own a Fitbit?

Posted: 2019-11-07, 10:56
by John connor
Then change the quality to 100. The main line here is the

Code: Select all

preserve_headers: false
It's a major security/privacy issue with metadata and many people may not know of this and willy nilly upload a smartphone pic with their GPS coordinates attached.

See here: https://www.phpbb.com/community/viewtop ... &t=2528176

Re: phpBB doesn't strip image metadata

Posted: 2019-11-07, 14:27
by Moonchild
F22 Simpilot wrote:
2019-11-07, 10:56
Then change the quality to 100.
No. It'd still be recoding the uploaded content; in addition, you'd run the risk of someone uploading a crafted image that will inflate something fierce when recoded to q=1.0, bypassing the normal upload size restrictions for uploads.

And I'm aware of the potential privacy issue with metadata (there is no security issue here, please don't lump the two together) but that is still up to the uploader to clear if they are concerned about it. Metadata is also used for more things than just GPS coordinates on smartphone-sourced pics, including important image data for e.g. print reproduction, color correction or copyright information, and I don't want to strip that either.

Re: Own a Fitbit?

Posted: 2019-11-07, 18:48
by Konrad
Moonchild wrote:
2019-11-07, 09:20
If you don't want metadata published then you should strip it before uploading.
I think it’s more than obvious even to unadvanced users like me.
And a website does not have to be a filter-of-all-faults.

Re: phpBB doesn't strip image metadata

Posted: 2019-11-07, 20:26
by Moonchild
Anyway, thanks for drawing attention to this. Looks like phpBB has been stripping metadata unknowingly because of an undocumented update in one of the later phpBB 3.2 versions that would trigger a recode even if the original image didn't have to be recoded (size and resolution not exceeding max). That has now been fixed.

Re: phpBB doesn't strip image metadata

Posted: 2019-11-08, 22:15
by John connor
Where is that Info. so I can have a look at it.

Re: phpBB doesn't strip image metadata

Posted: 2019-11-08, 22:22
by Moonchild
Where do you think? In the very thread on the phpBB forum you linked to.

Re: phpBB doesn't strip image metadata

Posted: 2019-11-08, 22:29
by John connor
Odd, I don't recall reading that there. I'll go over it again. I tested with the upload of a photo from my phone to my own board and the metadata was intact. Using 3.2.8. I've since added that plupload code and that does strip the metadata.

Re: Own a Fitbit?

Posted: 2019-11-08, 22:31
by John connor
Konrad wrote:
2019-11-07, 18:48
Moonchild wrote:
2019-11-07, 09:20
If you don't want metadata published then you should strip it before uploading.
I think it’s more than obvious even to unadvanced users like me.
And a website does not have to be a filter-of-all-faults.
Social media now strips metadata due to this issue. Can you imagine if they left it intact? Like web stalkers and shit?

Re: phpBB doesn't strip image metadata

Posted: 2019-11-09, 08:03
by Moonchild
F22 Simpilot wrote:
2019-11-08, 22:31
Social media now strips metadata due to this issue.
Social media is used with direct sharing from mobile devices where stripping this data before upload is difficult; requirements are different there.