Pictures contain EXIF

Hi,

Are you facing any issues due to this? Can you please explain in detail so that we can provide the solution for this?

Regards,
Patrik

Hello ! By being able to upload images with information in EXIF, these can be called or included elsewhere on the same page and code can be executed.

for example, I can upload an image to my avatar with a PHP execution code hidden in EXIF and call it(original picture, not thumbnail) from some forum or post on the same page.

Not having EXIF information the images are not dangerous whatever they are called.

SOLUTION: Since you create a thumbnail (the EXIF information of the original image is not copied), it would be to delete the original image and keep only the thumbnail used or also remove the EXIF information in the original but it would not make sense to keep the original if you do not use it (you use the thumbnail).

Hi @gabronick,

We use the standard WordPress uploader which also does not remove the EXIF data.
For this to be an issue you would also need some way to include a file of your choice on the server and at that point, it does not matter if your PHP code is in EXIF or a .txt file.

If you find a way to execute this using only the UWP plugin then we would certainly listen but this is not possible without a way to include a file already being on the server.

We will check if we use the original file for other reasons or not.

Thanks,

Stiofan