|
|
Joined: Jul 2007
Posts: 5
Lurker
|
|
Lurker
Joined: Jul 2007
Posts: 5 |
Could someone point me to where I can locate info for: code edits to allow dynamic images Vers 7.1.1 thanks!
|
|
|
|
|
Joined: Jun 2004
Posts: 4
Lurker
|
|
Lurker
Joined: Jun 2004
Posts: 4 |
I think we need something like this, updated for the latest version https://www.ubbdev.com/forums/ubbthreads.php?ubb=showflat&Number=264598#Post264598Going by that, I figure it's this code that needs to be changed if( ($config['ALLOW_IMAGE_MARKUP'] && $type != "sig") || ( $config['IMAGE_MARKUP_IN_SIGS'] && $type == "sig" ) ) {
$regexes[] = array( "#\[img\]([^?\['\"]+?)\.(gif|png|jpg|jpeg)\[/img\]#i", '<img src="\1.\2" alt="" />' );
$regexes[] = array( "#\[image\]([^?\['\"]+?)\.(gif|png|jpg|jpeg)\[/image\]#i", '<img src="\1.\2" alt="" />' );
$regexes[] = array( "#\[img:(left|right|center)\]([^?\['\"]+?)\.(gif|png|jpg|jpeg)\[/img\]#i", '<img src="\2.\3" align="\1" alt="" />' );
$regexes[] = array( "#\[image:(left|right|center)\]([^?\['\"]+?)\.(gif|png|jpg|jpeg)\[/image\]#i", '<img src="\2.\3" align="\1" alt="" />' ); But I don't do regex so I have no idea. If I remove the ? from then it will post as an image but won't show the correct text. What do we have to change in that regex to allow the "?" ??? Or is it altogether somwhere else in the forum?
|
|
|
|
|
Joined: Jan 2000
Posts: 5,834 Likes: 20
UBBDev Owner
Time Lord
|
|
UBBDev Owner
Time Lord
Joined: Jan 2000
Posts: 5,834 Likes: 20 |
Well, I believe this is "as is" due to security concerns; the system actively refuses images with ? or which don't match the file types; this is done so knobs can't just embed a so-called image which isn't an image (but instead a cleverly disguised script).
i however leave this thread to Ian or Rick when they get the chance to go more in-depth on the how's and why's.
|
|
|
|
|
Joined: Jun 2004
Posts: 4
Lurker
|
|
Lurker
Joined: Jun 2004
Posts: 4 |
Well that makes about as much sense as trying to stop someone viewing your html source or right clicking to save your images. It can't be done so there's no sense worrying about it  The entire internet is dynamic and there's no way you're going to avoid "us knobs" trying to make it more usefull and interesting. If you're that concerned about dynamic image scripts, or any interactive script, there's a simple solution. Unplug your computer. Anyway, thanks for your concern but we're not asking why the choice is lacking, only how to enable that choice 
|
|
|
|
|
Joined: Jan 2000
Posts: 5,834 Likes: 20
UBBDev Owner
Time Lord
|
|
UBBDev Owner
Time Lord
Joined: Jan 2000
Posts: 5,834 Likes: 20 |
It's not those scripts, it's the kind that install mallitious software to your server and get your plug pulled for you by your host/datacenter...
When I said "knobs", I didn't mean you as a legitimate user, I meant some random fly by script which is scanning your webhost/subnet for "yet another target" that they can "own" for a botnet due to insecurities...
|
|
|
|
|
Joined: Jan 2000
Posts: 5,834 Likes: 20
UBBDev Owner
Time Lord
|
|
UBBDev Owner
Time Lord
Joined: Jan 2000
Posts: 5,834 Likes: 20 |
heres an example; I've seen some sites setting "gif" as a plaintext file, and link to it as an image; an example would be this one that i pulled from my log files (not an image in this instance): http://www.the-esao.com/imag/stringa.txtThis type of "blocking" isn't out of the ordinary, check out all those which have plagued phpbb, one of which is this and several other "remote file inclusion" bugs.
|
|
|
|
|
Joined: Jan 2000
Posts: 5,834 Likes: 20
UBBDev Owner
Time Lord
|
|
UBBDev Owner
Time Lord
Joined: Jan 2000
Posts: 5,834 Likes: 20 |
btw, most gallery software now adays (which is what i'm assuming you're using) have a SE friendly urls option, which generally use PATH_INFO (like the UBB does) or mod_rewrite to create "virtual" directories, which would end up like:
image.php\text\sometext\ext.gif
|
|
|
|
|
Joined: Jun 2004
Posts: 4
Lurker
|
|
Lurker
Joined: Jun 2004
Posts: 4 |
Haven't had a problem with remote include attempts since switching to phpSuExec. Yeah, I could recode to use htaccess and addtype as well but it's a pain. Either way, it's still a dynamic image. phpbb was just a disaster waiting to happen. Only surprise is that it took so long to surface! I don't see a problem with image code though as long as it's parsed as an image by the forum. The worst that can happen is someone finds out what OS and plugins you're running. Opera and Mozilla based browsers return that info and more with a little javascript anyway and just about everyone's got urchin.js on their system now which I'd be a lot more concerned about
|
|
|
|
|
Joined: Jun 2004
Posts: 4
Lurker
|
|
Lurker
Joined: Jun 2004
Posts: 4 |
Ok, we found the answer change: $regexes[] = array( "#\[img\]([^?\['"]+?)\.(php|gif|png|jpg|jpeg)\[/img\]#i", '  ' ); to: $regexes[] = array( "#\[img\]([^\['"]+?)\.(php|gif|png|jpg|jpeg)\[/img\]#i", ' ' ); at line #1029 of ubbthreads.inc.php Same for any other regexes that disallow dynamic tags.
|
|
|
Donate to UBBDev today to help aid in Operational, Server and Script Maintenance, and Development costs.
Please also see our parent organization VNC Web Services if you're in the need of a new UBB.threads Install or Upgrade, Site/Server Migrations, or Security and Coding Services.
|
|
|
Posts: 1,157
Joined: July 2001
|
|
|
Forums63
Topics37,575
Posts293,931
Members13,823
| |
Most Online6,139
Sep 21st, 2024
|
|
Currently Online
Topics Created
Posts Made
Users Online
Birthdays
|
|
|
|
![[Linked Image from ]](image.php?text=sometext&ext=.gif)
