The following add-ons have been updated today:
. There is added a function, using scanFilePHP function of the new release; also made adjustments to templates to provide more customized messages regarding uploaded files. There are also back some functions which were lost in the past for some reason; resp., if file uploads are disabled ($avatarMaxFileSize=0)
or pre-defined avatars are disabled ($chooseTableCells=0)
, these options should be removed from the Avatars section of the Profile.
Updated files are:- addon_avatar.php
* File Bank
. Now it will also use scanFilePHP function, which allows to pass only binary files NOT having <?php tag inside. Updated file is addon_storage.php
I have also improved miniBB's Requirements
page, and the core installation file (_install.php
) to provide more instructions and analysis of short_open_tag
function of PHP.
Since the new version 3.1 uses the scanning for <?php
tags in all case combinations, it would make no sense if you have short_open_tag
set to ON and so allowing 3rd party scripts being executed, even if they are not PHP. short_open_tag
should be set to OFF
; if PHP codes wouldn't be allowed to execute through the short tag i.e. <? that adds important bits to security in all file uploads-related scripts, which are mentioned above and which are going to be updated in the nearest future, too. That actually means, if an intruder uploads a malicious file in some backdoor-way, it would not pass if it has <?php tag inside; and if it has <? tags, it won't execute.
That's why there is also a special note about the maximum size of uploaded files
(name of this setting varies for different add-ons). The file uploading script will scan the uploaded file for possible PHP tags, to avoid "trojans" and PHP-codes built-in a binary source. That's why our recommendation is to keep the maximum size of uploaded files reasonable. As it has been tested, on most of servers files less than 20 Mb
in size are being scanned in an allowed time (it may take couple of seconds); however bigger size files become slower in scanning, 'cause the script needs to open a large array of data and pass it through line by line. In most cases, files of couple Mb in max. size are enough for most forums, so try to not exceed this value.