SitePoint Sponsor

User Tag List

Results 1 to 14 of 14
  1. #1
    SitePoint Enthusiast
    Join Date
    May 2007
    Posts
    42
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    WordPress Theme: Magasin Ocho Programming Problem

    I have a wordpress theme using the WordPress Theme: Magasin Ocho and it all works fine except for the thumbnail display.. The coding when it gets resolved looks like this:

    <img class="header" src="http://talk-****.com/wp-content/themes/magasin-ocho/functions/timthumb.php?src=http://talk-****.com/wp-content/uploads/cc/car_****_talk.jpg&amp;w=146&amp;h=146&amp;zc=1" />

    i don't know if that is valid PHP coding or not.. The timthumb.php file is supposed to resize the thumbnail if necessary and there is a valid image at http://talk-****.com/wp-content/uplo..._****_talk.jpg

    Looks like my file is getting **** put where part of URL name is because it might be consider a 'bad word' - so you might have to figure it out on your own since i can't put it here..


    Can anyone help please?

    Thanks.

  2. #2
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,290
    Mentioned
    198 Post(s)
    Tagged
    3 Thread(s)
    Is it the SitePoint forum putting in the **** or your blog?

  3. #3
    SitePoint Enthusiast
    Join Date
    May 2007
    Posts
    42
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Mittineague View Post
    Is it the SitePoint forum putting in the **** or your blog?
    Sitepoint is doing it.. the blog actually inserts the correct word - rhymes with spit so you can figure it out..

  4. #4
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,290
    Mentioned
    198 Post(s)
    Tagged
    3 Thread(s)
    I get a 403 forbidden for the img URL
    Is everything
    wp-content/themes/magasin-ocho/functions/timthumb.php
    world readable?

  5. #5
    SitePoint Enthusiast
    Join Date
    May 2007
    Posts
    42
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Mittineague View Post
    I get a 403 forbidden for the img URL
    Is everything
    wp-content/themes/magasin-ocho/functions/timthumb.php
    world readable?
    the default permissions for the WP install and the theme install files under the folders was 644 - that didn't work, so i changed it to 777 - and still doesn't work.. is that the right coding.. http://talk-****.com/wp-content/them...h=146&amp;zc=1

    with the question mark at the end of the timthumb.php file and then the URL to the image.. if you just type in the URL to the image, the image displays just fine.. http://talk-****.com/wp-content/uplo..._****_talk.jpg

  6. #6
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,290
    Mentioned
    198 Post(s)
    Tagged
    3 Thread(s)
    I'm still getting a 403 so I hope you didn't leave it at 7. World readable, writeable, executable is something you definately don't want.

    Yes the image path (at least to the one I tried) is OK, so I think the problem is with the timthumb.php file. The file uses regex, so it might be it doesn't like the &amp; vs. (an invalid) & or something else. I'll look a bit more at it ASAP

  7. #7
    SitePoint Enthusiast
    Join Date
    May 2007
    Posts
    42
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Mittineague View Post
    I'm still getting a 403 so I hope you didn't leave it at 7. World readable, writeable, executable is something you definately don't want.

    Yes the image path (at least to the one I tried) is OK, so I think the problem is with the timthumb.php file. The file uses regex, so it might be it doesn't like the &amp; vs. (an invalid) & or something else. I'll look a bit more at it ASAP
    Thank you.. I appreciate any help since i can't get the template creator to respond to me..

  8. #8
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,290
    Mentioned
    198 Post(s)
    Tagged
    3 Thread(s)
    It's a bug in the timthumb.php file. The script uses 2 regular expressions to change the src value from a "virtual" URL into the "system" path.
    PHP Code:
    // clean params before use
    $src $_REQUEST['src'];
    // possibles?
    //$src = preg_replace( "/^(\.+(\/|))+/", "", $src );
    //$src = str_replace( "../", "", $src );
    //$src = preg_replace( '/^(s?f|ht)tps?:\/\/[^\/]+/i', '', $src );
    $src preg_replace"/(?:^\/+|\.{2,}\/+?)/"""$src );
    $src preg_replace'/^\w+:\/\/[^\/]+/'''$src ); 
    (the commented out "possibles" suggest the author has had problems with this, but regex isn't the easiest thing for lot's of people, so don't hold it against him)

    The first preg_replace removes the leading slash from relative URLs like
    /wp-content/uploads/cc/car_****_talk.jpg

    And the second removes the "http://root" for absolute URLs like
    http://talk-****.com/wp-content/uploads/cc/car_****_talk.jpg

    Later on the script gets the system root and adds the rest back on
    PHP Code:
    // set document root
    $doc_root $_SERVER['DOCUMENT_ROOT'];

    // get path to image on file system 
    $src $doc_root '/' $src
    The problem is the code works for relative URLs but doesn't remove the leading slash from the "remainder" of the absolute URLs so the path becomes something like
    http://talk-****.com//wp-content/uploads/cc/car_****_talk.jpg

    To make sure this will work with both types of URLs IMHO the best thing to do is hack the timthumb.php code so the second preg_replace also removes the "extra" leading slash
    PHP Code:
    // clean params before use
    $src $_REQUEST['src'];
    // possibles?
    //$src = preg_replace( "/^(\.+(\/|))+/", "", $src );
    //$src = str_replace( "../", "", $src );
    //$src = preg_replace( '/^(s?f|ht)tps?:\/\/[^\/]+/i', '', $src );
    $src preg_replace"/(?:^\/+|\.{2,}\/+?)/"""$src );
    //$src = preg_replace( '/^\w+:\/\/[^\/]+/', '', $src );
    $src preg_replace'/^\w+:\/\/[^\/]+\//'''$src ); 

  9. #9
    SitePoint Enthusiast
    Join Date
    May 2007
    Posts
    42
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Mittineague View Post
    It's a bug in the timthumb.php file. The script uses 2 regular expressions to change the src value from a "virtual" URL into the "system" path.
    PHP Code:
    // clean params before use
    $src $_REQUEST['src'];
    // possibles?
    //$src = preg_replace( "/^(\.+(\/|))+/", "", $src );
    //$src = str_replace( "../", "", $src );
    //$src = preg_replace( '/^(s?f|ht)tps?:\/\/[^\/]+/i', '', $src );
    $src preg_replace"/(?:^\/+|\.{2,}\/+?)/"""$src );
    $src preg_replace'/^\w+:\/\/[^\/]+/'''$src ); 
    (the commented out "possibles" suggest the author has had problems with this, but regex isn't the easiest thing for lot's of people, so don't hold it against him)

    The first preg_replace removes the leading slash from relative URLs like
    /wp-content/uploads/cc/car_****_talk.jpg

    And the second removes the "http://root" for absolute URLs like
    http://talk-****.com/wp-content/uplo..._****_talk.jpg

    Later on the script gets the system root and adds the rest back on
    PHP Code:
    // set document root
    $doc_root $_SERVER['DOCUMENT_ROOT'];

    // get path to image on file system 
    $src $doc_root '/' $src
    The problem is the code works for relative URLs but doesn't remove the leading slash from the "remainder" of the absolute URLs so the path becomes something like
    http://talk-****.com//wp-content/upl..._****_talk.jpg

    To make sure this will work with both types of URLs IMHO the best thing to do is hack the timthumb.php code so the second preg_replace also removes the "extra" leading slash
    PHP Code:
    // clean params before use
    $src $_REQUEST['src'];
    // possibles?
    //$src = preg_replace( "/^(\.+(\/|))+/", "", $src );
    //$src = str_replace( "../", "", $src );
    //$src = preg_replace( '/^(s?f|ht)tps?:\/\/[^\/]+/i', '', $src );
    $src preg_replace"/(?:^\/+|\.{2,}\/+?)/"""$src );
    //$src = preg_replace( '/^\w+:\/\/[^\/]+/', '', $src );
    $src preg_replace'/^\w+:\/\/[^\/]+\//'''$src ); 


    darn, that didn't work either.. and it made sense to me too.. any other suggestions?? thanks a bunch again for your time..

  10. #10
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,290
    Mentioned
    198 Post(s)
    Tagged
    3 Thread(s)
    Another possible problem might be your server configuration. http://us.php.net/imagecreatefromjpeg
    A URL can be used as a filename with this function if the fopen wrappers have been enabled.
    http://us.php.net/manual/en/filesyst...llow-url-fopen
    allow_url_fopen boolean

    This option enables the URL-aware fopen wrappers that enable accessing URL object like files. Default wrappers are provided for the access of remote files using the ftp or http protocol, some extensions like zlib may register additional wrappers.

    Note: This setting can only be set in php.ini due to security reasons.
    You may have no other choice but to use relative URLs. eg.
    HTML Code:
    <img class="header" src="http://talk-****.com/wp-content/themes/magasin-ocho/functions/timthumb.php?src=/wp-content/uploads/cc/car_****_talk.jpg&amp;w=146&amp;h=146&amp;zc=1" />
    EDIT: Scratch all that. Either way the script should still be using the 'DOCUMENT_ROOT' and not an HTTP URL
    I'll look some more.
    Last edited by Mittineague; May 30, 2009 at 18:43.

  11. #11
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,290
    Mentioned
    198 Post(s)
    Tagged
    3 Thread(s)
    Try with permissions for the

    wp-content
    themes
    magasin-ocho
    functions

    folders at 755 and for the file

    timthumb.php

    at 644

  12. #12
    SitePoint Enthusiast
    Join Date
    May 2007
    Posts
    42
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Mittineague View Post
    Try with permissions for the

    wp-content
    themes
    magasin-ocho
    functions

    folders at 755 and for the file

    timthumb.php

    at 644
    that didn't work but i contacted the hostgator server people and they changed some mod security settings and it now works fine.. than you Soooo much for all your help.. Do you do this for a living??

  13. #13
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,290
    Mentioned
    198 Post(s)
    Tagged
    3 Thread(s)
    No, It's a hobby I do for fun

    Well, that explains it. Although I would like to think that hostgator knows what it's doing, so I'm a bit surprised.

    I found that one of the things mod_security does is filter malicious requests like
    ././././././././passwords/ from http://www.onlamp.com/pub/a/apache/2..._security.html
    • Remove multiple forward slashes (//)
    • Remove self-referenced directories (./)


    So it could indeed have been responsible for breaking the script.

    As good as it is to hear that your problem is resolved, I hope this change didn't introduce any security vulnerabilities.

  14. #14
    SitePoint Enthusiast
    Join Date
    May 2007
    Posts
    42
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Mittineague View Post
    No, It's a hobby I do for fun

    Well, that explains it. Although I would like to think that hostgator knows what it's doing, so I'm a bit surprised.

    I found that one of the things mod_security does is filter malicious requests like
    ././././././././passwords/ from http://www.onlamp.com/pub/a/apache/2..._security.html
    • Remove multiple forward slashes (//)
    • Remove self-referenced directories (./)


    So it could indeed have been responsible for breaking the script.

    As good as it is to hear that your problem is resolved, I hope this change didn't introduce any security vulnerabilities.
    yeah i hope it doesn't either.. but hostgator probably would have been more concerned and not allowed it to change..


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •