On Mon, Oct 31, 2005 at 09:38:47PM +0100, Moritz Muehlenhoff wrote: > Thijs Kinkhorst wrote: > > After reading that text, I come to the conclusion that this is an issue > > in IE, not in phpBB. The bug is that IE will interpret files of type > > text/jpeg as HTML if they are in fact HTML. Hence, this is not a bug in > > phpBB, but something that affects anything where users can upload > > images, e.g.: all bulletin boards, many wikis, photo gallery software, > > webmail clients etc etc. > > > > There's no clear path to a fix these things there, while Microsoft is > > appearently working on patching the problem on their side. Therefore, > > I'm concluding that this is not a phpbb bug. Do you agree? > > Given that phpbb2 is an application whose bugs are actively exploited > and lots of Windows users run unpatched software I'd recommend a fix. > (2.0.18 contains a patch to to circumvent the problem).
We'll upload 2.0.18 to unstable and it'll go into testing soon enough. For stable... The fix is a bit intrusive, and still will only fix new uploads, not existing ones. Sure phpBB might get used to exploit this IE bug, but so will any software that you can upload pictures to that doesn't really check them much... I'm curious whether someone can come up with one good reason to include such a patch in stable, possibly breaking things, and not being complete in any case without having some tricky postinst stuff that will scan full avatar dirs and stuff like that. On the other hand, we also do fix XSS bugs that get 'introduced' because IE starts executing random code in some newly Microsoft-invented HTML tag, as happened earlier (though the fix was not exclusively for that). > For stable it's different, though. (The maintainers don't even seem to > know patches, see http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=336756 > for a bizarre message, with lots of instruction like > > FIND line 75: > code foo > > AFTER, ADD > code bar Welcome to the world of phpBB, where /usr/bin/{diff,patch} hasn't been invented yet. --Jeroen -- Jeroen van Wolffelaar [EMAIL PROTECTED] (also for Jabber & MSN; ICQ: 33944357) http://Jeroen.A-Eskwadraat.nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
