So, the avatars are being uploaded to the server (under ./uploads/avatars). But when it comes to display them, it just fails as if the image didnt exist.
[removed_link] if you wanna give it a try.
How do you expect someone test it in a mandatory login member-only board?
(2019-04-18, 03:57 PM)effone Wrote: [ -> ]How do you expect someone test it in a mandatory login member-only board?
Fixed, sorry.
There are 3 users with remote avatars (working).
And 1 with uploaded avatar (not workin)
trying to access the url of the uploaded avatar on your test thread results in a 403 forbidden code rather than a 404 as if it doesn't exist, so i would check and make sure your uploads/avatars folder is set up to allow its contents to be visible on the web by hotlinking.
try setting the permissions of the .uploads/avatars/ folder that contains the images to 755 or 777 instead of whatever they're set to now (if it's currently anything different).
Fixed.
For some reason the NGINX wiki recommends to do this:
# Deny access to internal files.
location ~ /(inc|uploads/avatars) {
deny all;
}
Source:
https://www.nginx.com/resources/wiki/sta...ipes/mybb/
But that of course leads to images not displaying.
Any idea why they suggest this?
Thanks
Uploaded images may contain sensitive data (scanned passports etc) which are internal use only and not for public access.
I have read somewhere something like this. May be that kind is the reason ...
This page was written before june 2015... pretty old.
The explanation given:
Quote:There is a potential security flaw, e.g. if a user uploads an avatar images pic.gif with valid PHP-Code and calls it with /uploades/avatars/pic.gif/foo.php. The issue is discussed here <pitfalls.uncontrollable_requests_to_php_>. Because the link is ending with .php, NGINX is passing it to the PHP interpreter. PHP can’t find the file /uploades/avatars/pic.gif/foo.php, but it tries to be smart and executes /uploades/avatars/pic.gif as an PHP-script.