Jump to content

"Serve images from local server" and https images


SeaTea
 Share

Recommended Posts

I started this bug report:

Quote

When the option "Serve images from local server?" is ON, all external images are proxified even if an image already has an HTTPS URL. This wastes traffic and server resources.

Could you change this so only http:// images are cached/proxied and https:// images not ?  (or make this choice configurable).

@Matt closed this bug report and commented:

There have been more discussions on this topic, but I did not see a bug-report. maybe it was also removed.  Off-course it is not a real "bug causing the forum not to work", but the way this function is designed now, it will always proxy an external image, even if it is from a https-source.  I think the change should be: check if the "image URL" is "http://" -> then operate as it is now.  If URL is "https://" just do nothing.  The main reason for this proxy function is browser-errors if you operate a https forum with mixed content.  Nowadays (with letsencrypt) every forum can (should) use https so I think it is important to avoid 'mixed content'.

Reason for this request:
It will save traffic and server resources and I do not like to serve too much (external) images as 'our images' to visitors.  There could be a legal issue in some cases (copyrighted and inappropriate pictures), so I prefer to have "quoted pictures from other sites"  as many as possible instead of serve them as 'my own' pictures.

I am not a programmer myself, but I think this change should not be too difficult and if you make the 'https" check configurable also people who like to always proxy every picture are happy.

Link to comment
Share on other sites

The thing is that I NEVER EVER enable this switch.

We had 3 (three) tickets with them two are critical issues whereof one is still unfixed because there are so many obvious bugs. In this case we are able to circumvent the php memory limit and overfill the servers memory to it's limit. Which fills the servers swap and maybe the servers crashes or it is damn slow. Every time a user is looking at the page where the prepared image is the server is trying to load the poc file we made and crashes again, again and again. There is no possibility to remove the image in the acp. The only option is to find it and remove the link in the database and to hope the attacker won't do it again.

This is still unfixed and possible with the GD library btw. PHP security team confirmed that this is a software validation error rather a bug from PHP itself. @Charles @Matt

Link to comment
Share on other sites

  • 7 months later...
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...