Announcement

Collapse
No announcement yet.

Suspect File Versions

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Wayne Luke
    replied
    Information about the custom avatar is stored in the customavatar table. Determining and deleting outdated avatar files is outside the scope of the suspect file tool. The Suspect File system doesn't access the database at all for its functionality. Feature Creep is not a good thing. The more complicated individual tools are made, the more likelihood there will be bugs or improper behavior.

    If the avatar is uploaded through the system, it is already checked for image exploits. You can use the File Checker tools and ClamAV to check the files for viruses and other malware when they are uploaded. If you're really worried, store avatars in the database. Or create a feature request to add a new Scheduled Task to delete obsolete custom avatar files from the file system.
    Last edited by Wayne Luke; Tue 17 Mar '20, 11:56am.

    Leave a comment:


  • webcms
    replied
    I guess the avatar file names are recorded in the user table for each member. Otherwise there is no way to render the correct avatar for each member. Is this the correct assumption because all files are stored in a single folder without dups and vb knows the folder name (unlike dynamic cache folders and attachments folder where dups can exist in sub folders)?

    Leave a comment:


  • Wayne Luke
    replied
    Originally posted by webcms View Post

    Yes please! If the avatar files are already linked to some accounts, they should be skipped as positives. Otherwise, this will result in thousands of files showing as suspect. Remaining orphaned files may be deleted or given an option to the user to delete using a button. Also, other suspect PHP/etc files may be offered to delete/rename as well.
    This function of the software doesn't know if an avatar file is used or not in that directory. It will just skip it completely.
    Click image for larger version  Name:	2020-03-17_9-23-37.png Views:	0 Size:	38.0 KB ID:	4437046

    Leave a comment:


  • webcms
    replied
    Originally posted by Wayne Luke View Post
    if you delete your custom avatars, they will no longer show for your users. they are showing as a false positive currently. Should be resolved in a future version.
    Yes please! If the avatar files are already linked to some accounts, they should be skipped as positives. Otherwise, this will result in thousands of files showing as suspect. Remaining orphaned files may be deleted or given an option to the user to delete using a button. Also, other suspect PHP/etc files may be offered to delete/rename as well.

    Leave a comment:


  • chriske
    replied
    Ah yes, "Attachments are currently being stored in the filesystem at ***/files"

    Leave a comment:


  • Wayne Luke
    replied
    Originally posted by chriske View Post
    Also the folder files is not used anymore?
    This folder contains attachments / thumbnails. Can i safely removed these?
    vBulletin doesn't ship with a folder named files. You can see if this still being used in the AdminCP under Attachments -> Attachment Storage Type. If it is, then you should keep it. As a non-standard directory, you should get a warning stating such and it isn't scanned.

    Leave a comment:


  • Trevor Hannant
    replied
    Take a backup of that folder (if you desire) and then delete. As Wayne says, it's no longer used in vB5 as there are no separate Avatars and Profile Pictures as there was in previous versions.

    Leave a comment:


  • chriske
    replied
    customgroupicons and signaturepics were empty folders. But customprofilepics is full of images. Can the folder + contents be safely removed? The profile picture is replaced by the avatar, am i right?

    Also the folder files is not used anymore?
    This folder contains attachments / thumbnails. Can i safely removed these?

    Leave a comment:


  • Wayne Luke
    commented on 's reply
    customgroupicons, customprofilepics, and signaturepics are not used in vBulletin 5.X. These directories were removed in 5.6.0 on new installations.

  • chriske
    commented on 's reply
    Thanks for the fast reply. Same goes for customgroupicons, customprofilepics,signaturepics etc

  • Wayne Luke
    replied
    if you delete your custom avatars, they will no longer show for your users. they are showing as a false positive currently. Should be resolved in a future version.

    Leave a comment:


  • chriske
    started a topic Suspect File Versions

    Suspect File Versions

    When running the tool "Suspect File Versions".
    ./core/customavatars
    avatar10004_2.gif File not recognized as part of vBulletin
    Why are all custom avatars showing up in this check? They are uploaded via vb and should be kept right?

Related Topics

Collapse

Working...
X