Sorry, the file you are trying to upload is not authorized


  • BINNED

    Hmmm... Anyone who knows more about MIME types care to give this a go? I tried changing the extension (the idiot approach) and it would SEEM that the upload actually goes through first, so validation is server side...



  • Well, what did you try to upload? A regular image of one of those kinds with a different extension?

    It basically sounds like they're validating it on the filename only rather than the content, since detecting content is voodoo anyway.


  • BINNED

    @Arantor said:

    It basically sounds like they're validating it on the filename only rather than the content, since detecting content is voodoo anyway.

    Filename for the upload, serverside for the content. Makes sense, really, but with Discurse's love for JS I don't assume anything any more.

    And I just tried a .mp4 with changed extension, idiot approach as I said. But I wonder if it would be possible to inject some Ruby or JS (remember, it seems some JS is running server-side as well) like that.

    DISCLAIMER: I do not intend or encourage malicious use. The only reason I thought of it is because I dragged the wrong file in by accident.



  • Well... there's a limit to what gets exposed on the client side, it could certainly validate the filename as being consistent with the list of valid formats.

    Validating content on the server can be quite complicated depending on exactly what you're trying to validate for.


  • BINNED

    They only allow images, as per popup. So MIME info I guess, possibly combined with valid image headers.



  • Maybe. Or maybe it's something as simple as trying to make a thumbnail out of it and if it fails, assume it's wrong.


  • BINNED

    Well, I'm surely not poking around with the hex editor at this time. Too late, too hot, and I have a Windows machine to get running... sigh.



  • Too much effort anyway. It's only Discourse, not like something we actually care about.


  • BINNED

    Dunno, would be nice if I could dump a short video directly in post without futzing around with additional hostings and .webm support :P



  • Images get resized/optimized for thumbnails, so it'll fail out if it's not really an image.


  • 🚽 Regular

    This is like the third thread I'm seeing where you're replying to a 10/11-month-old post.

    Are you testing the timegap thing or did Discourse suggest old threads and you didn't notice you were necroing? Did the discotoaster break?



  • @Zecc said:

    This is like the third thread I'm seeing where you're replying to a 10/11-month-old post.

    Are you testing the timegap thing or did Discourse suggest old threads and you didn't notice you were necroing? Did the discotoaster break?

    Don't expect a reply until May 2016.




Log in to reply