dynamic images

You are not logged in. [Log In] ubbDev » Forums » UBB.Threads 7 Development » Addons and Modifications » How Do I? » dynamic images

Topic Options

#315063 - 08/02/07 04:04 PM dynamic images
TheDude Lurker Registered: 07/09/07 Posts: 5 Add to del.icio.us Digg it	Could someone point me to where I can locate info for: Quote: code edits to allow dynamic images Vers 7.1.1 thanks!
Top

#315065 - 08/02/07 11:43 PM

Re: dynamic images [Re: TheDude]

balamm Offline

Lurker

Registered: 06/03/04
Posts: 4

I think we need something like this, updated for the latest version
http://www.ubbdev.com/forums/ubbthreads.php?ubb=showflat&Number=264598#Post264598

Going by that, I figure it's this code that needs to be changed

Code:

                if( ($config['ALLOW_IMAGE_MARKUP'] && $type != "sig") || ( $config['IMAGE_MARKUP_IN_SIGS'] && $type == "sig" ) ) {
                        $regexes[] = array( "#\[img\]([^?\['\"]+?)\.(gif|png|jpg|jpeg)\[/img\]#i", '<img src="\1.\2" alt="" />' );
                        $regexes[] = array( "#\[image\]([^?\['\"]+?)\.(gif|png|jpg|jpeg)\[/image\]#i", '<img src="\1.\2" alt="" />' );
                        $regexes[] = array( "#\[img:(left|right|center)\]([^?\['\"]+?)\.(gif|png|jpg|jpeg)\[/img\]#i", '<img src="\2.\3" align="\1" alt="" />' );
                        $regexes[] = array( "#\[image:(left|right|center)\]([^?\['\"]+?)\.(gif|png|jpg|jpeg)\[/image\]#i", '<img src="\2.\3" align="\1" alt="" />' );

But I don't do regex so I have no idea.

If I remove the ? from

Code:

[img]image.php?text=sometext&ext=.gif[/img]

then it will post as an image but won't show the correct text.

What do we have to change in that regex to allow the "?" ???
Or is it altogether somwhere else in the forum?

Top

#315066 - 08/02/07 11:53 PM Re: dynamic images [Re: balamm]
Gizmo Wizard Registered: 01/10/00 Posts: 5122 Loc: Portland, OR, USA	Well, I believe this is "as is" due to security concerns; the system actively refuses images with ? or which don't match the file types; this is done so knobs can't just embed a so-called image which isn't an image (but instead a cleverly disguised script). i however leave this thread to Ian or Rick when they get the chance to go more in-depth on the how's and why's. _________________________ UBB.Dev - Where you too can render your UBB install completely useless... UGN Security, Elite Web Gamers & VNC Web Design Owner
Top

#315069 - 08/03/07 01:49 AM Re: dynamic images [Re: Gizmo]
balamm Lurker Registered: 06/03/04 Posts: 4	Well that makes about as much sense as trying to stop someone viewing your html source or right clicking to save your images. It can't be done so there's no sense worrying about it The entire internet is dynamic and there's no way you're going to avoid "us knobs" trying to make it more usefull and interesting. If you're that concerned about dynamic image scripts, or any interactive script, there's a simple solution. Unplug your computer. Anyway, thanks for your concern but we're not asking why the choice is lacking, only how to enable that choice
Top

#315070 - 08/03/07 02:05 AM Re: dynamic images [Re: balamm]
Gizmo Wizard Registered: 01/10/00 Posts: 5122 Loc: Portland, OR, USA	It's not those scripts, it's the kind that install mallitious software to your server and get your plug pulled for you by your host/datacenter... When I said "knobs", I didn't mean you as a legitimate user, I meant some random fly by script which is scanning your webhost/subnet for "yet another target" that they can "own" for a botnet due to insecurities... _________________________ UBB.Dev - Where you too can render your UBB install completely useless... UGN Security, Elite Web Gamers & VNC Web Design Owner
Top

#315071 - 08/03/07 02:08 AM Re: dynamic images [Re: Gizmo]
Gizmo Wizard Registered: 01/10/00 Posts: 5122 Loc: Portland, OR, USA	heres an example; I've seen some sites setting "gif" as a plaintext file, and link to it as an image; an example would be this one that i pulled from my log files (not an image in this instance): http://www.the-esao.com/imag/stringa.txt This type of "blocking" isn't out of the ordinary, check out all those which have plagued phpbb, one of which is this and several other "remote file inclusion" bugs. _________________________ UBB.Dev - Where you too can render your UBB install completely useless... UGN Security, Elite Web Gamers & VNC Web Design Owner
Top

#315072 - 08/03/07 02:17 AM Re: dynamic images [Re: Gizmo]
Gizmo Wizard Registered: 01/10/00 Posts: 5122 Loc: Portland, OR, USA	btw, most gallery software now adays (which is what i'm assuming you're using) have a SE friendly urls option, which generally use PATH_INFO (like the UBB does) or mod_rewrite to create "virtual" directories, which would end up like: image.php\text\sometext\ext.gif _________________________ UBB.Dev - Where you too can render your UBB install completely useless... UGN Security, Elite Web Gamers & VNC Web Design Owner
Top

#315073 - 08/03/07 03:15 AM Re: dynamic images [Re: Gizmo]
balamm Lurker Registered: 06/03/04 Posts: 4	Haven't had a problem with remote include attempts since switching to phpSuExec. Yeah, I could recode to use htaccess and addtype as well but it's a pain. Either way, it's still a dynamic image. phpbb was just a disaster waiting to happen. Only surprise is that it took so long to surface! I don't see a problem with image code though as long as it's parsed as an image by the forum. The worst that can happen is someone finds out what OS and plugins you're running. Opera and Mozilla based browsers return that info and more with a little javascript anyway and just about everyone's got urchin.js on their system now which I'd be a lot more concerned about
Top

#315085 - 08/05/07 11:40 PM Re: dynamic images [Re: balamm]
balamm Lurker Registered: 06/03/04 Posts: 4	Ok, we found the answer change: $regexes[] = array( "#\[img\]([^?\['\"]+?)\.(php\|gif\|png\|jpg\|jpeg)\[/img\]#i", '<img src="\1.\2" alt="" />' ); to: $regexes[] = array( "#\[img\]([^\['\"]+?)\.(php\|gif\|png\|jpg\|jpeg)\[/img\]#i", '<img src="\1.\2" alt="" />' ); at line #1029 of ubbthreads.inc.php Same for any other regexes that disallow dynamic tags.
Top

Previous Topic

Index

Next Topic

Hop to:

Moderator: Gizmo