UBB.Developers Forums UBB.classic V6 MultiHack Mods [6.x] album.pl 6.0: Uploadable Photo Gallery for UBB

Yep, caught me again. The check was too simplistic. I've updated it once again, this time it should catch the problem.

While I was at it, I also closed off another couple of potential holes, where users might have been able to use special shell characters (such as | or >) to do funny stuff.

I didn't bother making this a new version, so if you re-download 3.3, you'll get this fix.

As for omegatron's comment about the security hole being fixable by good permissions, I'd rather have the script do the right thing, as opposed to making the user worry about yet another problem.

Anyway, thanks for pointing out the hole, and keep the feedback coming! (Yeah, even the negative stuff :))

[ June 26, 2001 10:17 PM: Message edited by: bobbitt ]

Grrrrrreat!!!

It's fixed....

Failed basic sanity test: Sorry, you can't use a relative path for the album!!!

Cross that one off the list 8)...

Thanks AGAIN!!!

BTW, do you mind if people come up with some pretty attractive sytle templates, and distribute them through you?... Just curious if your interested... 8).. Cuz you'd be the best resource to horde them... 8)..

Glad to hear I finally nailed it.

As for the style sheets, I think it's a great idea. The one provided is about as basic as they come, so something with a little imagination would be pretty cool.

Send 'em along, and I'll start either including them in the .zip or hosting them at the download page.

Thanks

Excellent, I have a whole group of web developers / graphics guys @ my disposal.. I'll hopefully get some up to you by this weekend 8)..

I want to know if I could use this script (modify it slightly) to allow my members to upload a .map file (custom mapping for a fuel injected Suzuki GSX-R)

It is very close to what I need

I also have a gallery script (still beta and buggy) running at my site, you might want to take a look at it here: www.gixxer.com/gallery

I did not say we had to do it by hand. I just pointed out that with the proper permissions set the issue is not a bug. I tried to do it my server would not let me

Nice Hack and if I find anything else I'll let ya know but its shaping up nicely.

Jonny,

You sure can. There's an item in the config file called "imgexts" which is supposed to list the image extensions (jpg, bmp, gif, etc). If you put map in there, it'll allow people to upload only .map files.

Now the catch is that it'll try to "img src" them to display them in a browser, so if that doesn't work for a .map file (which I doubt) then you'd have to change a bit of code. I'm not sure how you'd want to deal with a .map file, probably just download it with a "href" maybe?

At any rate, it's possible, though it would require a bit of customization. BTW, that's a pretty cool gallery you've got there. Might just put me out of business...


omegatron,

Yeah, I agree. If you have everything above your web root as unreadable to your web server process (which is good design) then it's not a problem. But I'd still rather put the "safety features" into the script. It's bloody hard enough to configure as it is!

[ June 27, 2001 05:54 AM: Message edited by: bobbitt ]

Yikes! That ../../../ bug is really nasty but at least I got a look at what my hosting provider also has on the system.

p2kay!

Ok, I'm trying to set my focus for the next round of updates. What's your preference for the next release:

• Improved documentation
• Improved installation
• Search capability
• "Jump to" drop box for albums
• Custom header/footer
• Auto thumbnails
• User comments/ratings on photos
• "Page views" for photos
• Something else? (Make your suggestion!)

These are just some of the things floating around in my head, but I'd rather spend my time on what people are going to use. So if you have a preference, let me know!

Thanks

[ June 27, 2001 09:56 AM: Message edited by: bobbitt ]

auto thumbnail
members comment ans rating

thanks bobbit

for auto thumbnails you can run Image Magik on your server.


Where abouts in Ottawa are you anyways? I am over in Vancouver

Image Magik eh? I'll have to check that out. Have a link handy?

I'm actually just outside Ottawa, but we've all been amalgamated into one city now... Looks like there are a few of us canucks here...

Anyway, thanks for the info.

Excellent. I'll check it out.

What I don't want though is for people to have to compile and install Image Magick in order to use album.pl. But I'll see what I can come up with...

I just can't get it to run!

I have 4 or more different types of perl scripts running fine, but this one is making me pull my hair out!

500 Internal Server Error is all I get no matter how I try to muck with the .cfg file and permissions.

does it run on Unix?

I have UBB 6.04f running fine.

What am I doing wrong?

[ June 29, 2001 01:45 AM: Message edited by: Jonny Bravo ]

I run the script on Windows and UNIX just fine. A few people are seeing this, so I'd love to nail it down.

I have a couple of theories, the most likely of which is that the .cfg and/or .pl files weren't FTP'd in ASCII mode. That would cause some problems, and would likely show itself as a 500 error.

Alternatively, my suspicion is that the .cfg file has been edited by an editor that leaves funny characters.

At any rate, if you have shell access, and can run "perl album.pl" in your cgi-bin directory, that'll give us a more clear error code to work with. Hopefully then I can wrap this up for everyone who's dealing with it.

Thanks!

[ June 29, 2001 06:04 AM: Message edited by: Mike Bobbitt ]

well I started all over from scratch, set the dirs the same as per yours, used a plain jane text editor, use AceFTP and set to ASCII mode and got the same results.

Currently I have no shell access to the account.

Anything else I can try?

Darn, that's usually it. It looks like if any lines have leading or training whitespace in the .cfg file, it may cause problems. Including "blank" lines that are a space, instead of being empty.

I'm working on fixing these problem in 3.4, but that doesn't do you much good right now. Plus, since I'm not sure what your specific issue is, I'm not sure I've fixed it...

Johnny these are the exact things I was having problem with. However I have shell access and used that finally since editors dont work. If you want to send me your settings I can make a .cfg file for you?

I think I have it fixed. Just polishing up and will hopefully have something ready for download later tonight.

Cheers

[ July 01, 2001 05:21 PM: Message edited by: Mike Bobbitt ]

Ok, it's up. Give it a shot:

http://perl.cdnarmy.ca

Good luck!

I should point out that this release will probably fix the 500 Internal Server Error problem, but in cases where the config file is "broken" it will only turn a 500 error into a PERL error.

The root cause is that the config file isn't being loaded properly, due to some issue that appears when it is transferred or edited in some cases. Hopefully this will at least allow us to diagnose problems more effectively...

Yeah now if there was just a way to have auto thumbnails I think this think would be out of beta.

May I make a suggestion?

Individual icons for each indivudual photo album directory. Currently, it uses the album.gif file.

So if you have a directory for Flowers, you can assign a flower icon for the Flowers dir, a dog for your dogs directory, etc.

pee2wokay!

Good idea. The immediate options that come to mind are:

1. Have the icon file defined in descriptions.txt somehow. (Like the first line could be "album_icon.gif=Album Description").

2. Automatically use a thumbnail if it's name matches the album (directory) name and exists in the album's parent directory.

3. Automatically use a thumbnail if it matches a pre-defined name (such as album_icon.gif) and exists in the album itself.

Each option has its ups and downs, I'll have to think about the best implementation...

Ok, I'm finally wrapping up the last of the 500 internal server errors. If anyone is still having this problem, contact me and I'll be able to get you sorted out in short order.

Cheers

Ok, come and get it: http://perl.cdnarmy.ca

Version 3.5 is out, changes are:

• Added line numbers to every debug statement.
• Fixed (the last?) of the 500 errors.
• Added a couple more (very basic) style sheets.
• Added ability for albums to have their own thumbnails. File must be named thmb_albumname.gif, where thmb_ is the thumbprefix and albumname is the exact name of the directory/folder that is your album. The thumbnail must be put at the same level as the album directory (not in it). (Thanks P2K!)

I know, auto thumbnails aren't there yet. I'm having a hell of a time with it. Everything I've seen so far requires that you have some *other* special package installed first. I really want this script to be standalone. (As has been pointed out, it's hard enough to install by itself; who needs dependancies!)

I'll keep you posted...

Edit: Forgot to mention - album thumbnails need to be a .gif file, at least for the moment... (However, I've renamed JPGs to .gif, and they still work fine. The browser knows it's actually a .JPG and renders it accordingly...)

[ July 03, 2001 07:32 PM: Message edited by: Mike Bobbitt ]

autothumbnails HMMM. Thats what I am waiting on.

3.6 is ready:

http://perl.cdnarmy.ca/

Still no auto thumbnails, but I haven't given up. It's just turning into a much bigger project.

At any rate, here are the changes in 3.6, hopefully they'll keep people happy for a bit:

• Added ``movie_upload'' config item. When set to a non-zero value, movie uploads are permitted as well. (See movieexts config item.) Note that the upload_size_limit is still enforced, so you'll probably want to raise this value if you allow movie uploads. You can use this feature to allow your gallery to handle (and upload) binary or custom files (zip, exe, etc).
• Added ``jump_to'' config item. Allows you to have a drop box displayed for albums to jump between peer albums.
• Added ``viewfile'' config item. Allows you to keep track of (and display) the number of times each picture has been viewed.
• Albums now have a border, so you can tell them from regular photos when you're using album icons.
• Fixed up some style sheet stuff. (If a style sheet is used, the tag doesn't contain formatting and colour info.)
• When entering descriptions, you automatically advance to the next photo.
• Fixed up the revision history section of the documentation.

Enjoy, and as always, please send me your feedback!

[ July 05, 2001 09:46 PM: Message edited by: Mike Bobbitt ]

Just a heads up Mike. I will also email you. I installed your 3.6 version last night. I do not know if this is a prior bug or not since these parameters were never tested.

A member uploaded a pic and then put a quite lengthy description to it. All I know is when I went to check the gallery I had my albums and a new picture actually in the album screen not in the individual directory like it is suppose to be? Maybe the program gets confused with the lengthy description? I fixed everything and photo is where it belongs. I uploaded a photo to test and mine went fine. I even put a long lengthy description. Go figure I could not duplicate the problem. I tried to make it easy for ya but alas who knows what went wrong.

Hmmm that is interesting. I'll have to do some tests and run through the code.

Thanks for the heads up...

Security Bug Notice #3 by ampere...

When appending the following:
/album.pl?album=../../../../../%00
to the URL running Album v3.5 & still testing v3.6...

It displays the entire contents of the volume's root.... WITHOUT the %00 @ the end... It will not display ALL types of files, only the folders....

ALSO, when trying to retrieve the newly discovered files, it'll only send album.html, thus making it not hazardous in of itself, but just being able to browse the structure & filenames, could be used in many other ways, to get much farther in to the system...

ESPECIALLY when used in conjunction with the IIS v4.0 & v5.0 security flaws (still present on many systems even after SP2)...


Add that to the .pl or .cgi


BTW- I must thank two of my users, MIG [[email protected]] & idlei for helping me uncover both of the above issues, and Mike Bobbit for everything else on this hack!!!

[ July 07, 2001 02:23 PM: Message edited by: ampere ]

Gulp! Missed another one!

Ok, so now 3.7 is out:

http://perl.cdnarmy.ca.

Updates/fixes:

• Fixed bug with jumpstation when using debug, a function or a password.
• Added ``album_border'' config item. Used to define the width of the border shown for album icons.
• Jump station no longer shows up when there are no peer albums now.
• Now uploads also use the updateDesc function - fixes the upload overwrite problem where the description was not updated.
• Photo and album icons are only used if they exist. No more broken image links!
• Before throwing an error, the script will look in a couple likely places for album.pl.
• Fixed another security hole with the album= var.

Thanks again ampere!

Good news.

I've just finished creating a mailing list for album.pl. We can use this to discuss new features, installation problems, common questions, etc. That way, we can all benefit from each other's experience.

To subscribe, send a message to majordomo@cdnarmy.ca with "subscribe album-list" somewhere in the message body.

If you have any problems, just let me know.

Cheers

Argh... me again 8)...

This time, a user went to the upload function of the photo album...

Decided to save the source code...
Updated his copy to allow an additional dropdown category of /../../../../../..

By changing:


And then opening his edited .html file in his browser, was able to upload a image to my startup group in my user profile 8)'... or to my root drive etc...

I know this is partly due to my security of IIS & Win2k... But even if I disable the upload function, a user could enable it on his copy of the html... or for that fact just modify the html, and use it to upload anywhere...

Were also working on seeing if he modifies his file enough, if he can' upload files other than images to my system...

[ July 07, 2001 05:51 PM: Message edited by: ampere ]

Hmmm. That's all good stuff. I'll work on a fix, hopefully have one out tonight...

Ampere,

You sounds like you have alot of security issues. Ever think about changing? None of your security issues affect me at all.

Ok, I *think* I've taken care of that. I just updated the .zip, I didn't bother putting a new version out for that.

If you find any others, please let me know.

Thanks again for all your help!

Are you running Windows 2000 SP2 & IIS v5.x?

I think most of these issues affect pretty much anyone running the album. It's just a matter of how well behaved your users are...

Best to get these holes plugged before they cause any issues...