As of September 17, 2017, the following issue, which is unresolved at this time, is due for disclosure:
VWE-2017-4030 is a Legal issue, in which image metadata of uploaded image attachments may have their metadata unintentionally stripped. Many software applications and web sites perform metadata removal by default, but recent court cases have provided precedent that this behavior is illegal in several countries, such as Germany or Australia, as it violates the copyright protections of the original owners of the images. We are currently working on patches for this issue, which will attempt to preserve several types of metadata that tend to get lost during image processing:
- EXIF (in JPG and PNG)
- FlashPix (in JPG)
- IPTC (in JPG and PNG)
- XMP (in JPG, PNG, and GIF)
- PNG textual information
- GIF comments and watermarks
- JPEG APP12 segments and comments
Files that are not treated as images by VaultWiki are not victim to accidental loss of metadata. A temporary workaround for this issue is to go to Content > Attachments, and modify each file type so that none are treated as images.
We apologize for the inconvenience that this delay will cause. However, we urge customers to follow the workaround steps outlined above to ensure their sites are on secure legal footing in the interim.
We do not recommend using any upload functions on your site for which accidental removal of metadata may occur, unless you make it clear on the upload page that you do not want any files that have embedded metadata containing copyright, ownership, or credit-related information, and unless you have some policy in place to enforce this rule. This includes avatars, forum attachments, and other types of uploads that do not actively preserve metadata.