phpBB doesn't strip image metadata

[John connor]

Also, phpBB doesn't strip metadata from images by default. Look in the phpbb folder/plupload/plupload.php file line 269. Add this:

Code: Select all

'resize: {width: %d, height: %d, quality: 85,preserve_headers: false},',

[Moonchild]

Also, phpBB doesn't strip metadata from images by default. Look in the phpbb folder/plupload/plupload.php file line 269. Add this:

Code: Select all

'resize: {width: %d, height: %d, quality: 85,preserve_headers: false},',

No. If you don't want metadata published then you should strip it before uploading.
I'm not having the board re-encoding images at an arbitrary quality factor either. That's just bad form, touching what people upload like that.

[John connor]

Then change the quality to 100. The main line here is the

Code: Select all

preserve_headers: false

It's a major security/privacy issue with metadata and many people may not know of this and willy nilly upload a smartphone pic with their GPS coordinates attached.

See here: https://www.phpbb.com/community/viewtop ... &t=2528176

[Moonchild]

Then change the quality to 100.

No. It'd still be recoding the uploaded content; in addition, you'd run the risk of someone uploading a crafted image that will inflate something fierce when recoded to q=1.0, bypassing the normal upload size restrictions for uploads.

And I'm aware of the potential privacy issue with metadata (there is no security issue here, please don't lump the two together) but that is still up to the uploader to clear if they are concerned about it. Metadata is also used for more things than just GPS coordinates on smartphone-sourced pics, including important image data for e.g. print reproduction, color correction or copyright information, and I don't want to strip that either.

[Konrad]

If you don't want metadata published then you should strip it before uploading.

I think it’s more than obvious even to unadvanced users like me.
And a website does not have to be a filter-of-all-faults.

[Moonchild]

Anyway, thanks for drawing attention to this. Looks like phpBB has been stripping metadata unknowingly because of an undocumented update in one of the later phpBB 3.2 versions that would trigger a recode even if the original image didn't have to be recoded (size and resolution not exceeding max). That has now been fixed.

[John connor]

Where is that Info. so I can have a look at it.

[Moonchild]

Where do you think? In the very thread on the phpBB forum you linked to.

[John connor]

Odd, I don't recall reading that there. I'll go over it again. I tested with the upload of a photo from my phone to my own board and the metadata was intact. Using 3.2.8. I've since added that plupload code and that does strip the metadata.

[John connor]

If you don't want metadata published then you should strip it before uploading.

I think it’s more than obvious even to unadvanced users like me.
And a website does not have to be a filter-of-all-faults.

Social media now strips metadata due to this issue. Can you imagine if they left it intact? Like web stalkers and shit?

[Moonchild]

Social media now strips metadata due to this issue.

Social media is used with direct sharing from mobile devices where stripping this data before upload is difficult; requirements are different there.