View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 4653 | Composr | core | public | 2021-05-28 01:55 | 2021-05-28 01:55 |
| Reporter | Chris Graham | Assigned To | Chris Graham | ||
| Priority | high | Severity | Security-hole | ||
| Status | resolved | Resolution | fixed | ||
| Product Version | 10.0.37 | ||||
| Fixed in Version | 10.0.38 | ||||
| Summary | 4653: Strip GPS EXIF data by default | ||||
| Description | A naive user, particularly on a smartphone or tablet, may upload a JPEG file from their camera that contains their GPS coordinates. Users very likely do not know this is a thing, and it's a major personal data link if it happens. Social media networks strip this kind of thing by default, or they get security vulnerabilities filed against them when they don't. CMSs like Composr should do the same. That said, we need to make it configurable - so I have made catalogue field options, and a hidden option for galleries, if the data is to be preserved. If the webmaster enables that it's on them to communicate the privacy implications to users, or just assume users will be wise to what they are uploading. | ||||
| Tags | No tags attached. | ||||
| Attach Tags | |||||
| Attached Files | |||||
| Time estimation (hours) | |||||
| Sponsorship open | |||||
|
|
Fixed in git commit 4ebed9c0e (https://gitlab.com/composr-foundation/composr/commit/4ebed9c0e - link will become active once code pushed to GitLab) A hotfix (a TAR of files to upload) has been uploaded to this issue. These files are made to the latest intra-version state (i.e. may roll in earlier fixes too if made to the same files) - so only upload files newer than what you have already. If there are files in a hot-fix that you don't have then they probably relate to addons that you don't have installed and should be skipped. Always take backups of files you are replacing or keep a copy of the manual installer for your version, and only apply fixes you need. These hotfixes are not necessarily reliable or well supported. Not sure how to extract TAR files to your Windows computer? Try 7-zip (http://www.7-zip.org/). |
