Not Solved [General] MyBB fails to load uploaded avatars
#1
Not Solved
So, the avatars are being uploaded to the server (under ./uploads/avatars). But when it comes to display them, it just fails as if the image didnt exist.

[removed_link] if you wanna give it a try.
Reply
#2
Not Solved
How do you expect someone test it in a mandatory login member-only board?
Reply
#3
Not Solved
(2019-04-18, 03:57 PM)effone Wrote: How do you expect someone test it in a mandatory login member-only board?

Fixed, sorry.
There are 3 users with remote avatars (working).
And 1 with uploaded avatar (not workin)
Reply
#4
Not Solved
trying to access the url of the uploaded avatar on your test thread results in a 403 forbidden code rather than a 404 as if it doesn't exist, so i would check and make sure your uploads/avatars folder is set up to allow its contents to be visible on the web by hotlinking.

try setting the permissions of the .uploads/avatars/ folder that contains the images to 755 or 777 instead of whatever they're set to now (if it's currently anything different).
Reply
#5
Not Solved
Fixed.

For some reason the NGINX wiki recommends to do this:


# Deny access to internal files.
    location ~ /(inc|uploads/avatars) {
        deny all;
    }

Source: https://www.nginx.com/resources/wiki/sta...ipes/mybb/


But that of course leads to images not displaying.
Any idea why they suggest this?

Thanks
Reply
#6
Not Solved
Uploaded images may contain sensitive data (scanned passports etc) which are internal use only and not for public access.
I have read somewhere something like this. May be that kind is the reason ...
Reply
#7
Not Solved
This page was written before june 2015... pretty old.
The explanation given:
Quote:There is a potential security flaw, e.g. if a user uploads an avatar images pic.gif with valid PHP-Code and calls it with /uploades/avatars/pic.gif/foo.php. The issue is discussed here <pitfalls.uncontrollable_requests_to_php_>. Because the link is ending with .php, NGINX is passing it to the PHP interpreter. PHP can’t find the file /uploades/avatars/pic.gif/foo.php, but it tries to be smart and executes /uploades/avatars/pic.gif as an PHP-script.
Tchat en français
Do not ask me help through PM or Discord

Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)