Advanced search  

News:

cpg1.5.46 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter recently discovered vulnerabilities. It is important that all users who run version cpg1.5.44 or older update to this latest version as soon as possible.
[more]

Pages: [1] 2 3   Go Down

Author Topic: Thumb_Rotate plugin for cpg1.5.x  (Read 40143 times)

0 Members and 1 Guest are viewing this topic.

Timos-Welt

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 800
    • Timos-Welt
Thumb_Rotate plugin for cpg1.5.x
« on: January 07, 2009, 12:48:53 am »

What's this?
This plugin will rotate your thumbnails randomly, giving your gallery a 'comic' look.
Have a look at the attached screenshot to get an impression.
The plugin currently is an alpha version, so use with care!

Requirements
- a fast server
- additional space for the generated thumbnails
- PHP 4.3.2 or PHP 5
- PHP with working GD2 (ImageMagick will NOT work!)
  
Install
1. Unzip.
2. Upload folder thumb_rotate to the plugin folder of your gallery.
3. Install via plugin manager.

Demo gallery
http://cpgdev.timos-welt.de/cpg15x/
« Last Edit: January 28, 2010, 10:03:52 am by Joachim Müller »
Logged

SaWey

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 1119
    • SaWey.be
Re: Thumb_Rotate plugin for cpg1.5.x
« Reply #1 on: January 07, 2009, 11:10:18 am »

What about using something like this: http://www.swfir.com/ ?
Should be much less resource intensive.
Logged

Timos-Welt

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 800
    • Timos-Welt
Re: Thumb_Rotate plugin for cpg1.5.x
« Reply #2 on: January 07, 2009, 12:25:08 pm »

Good idea, but...

Quote
    * Resizing/zooming in Opera crashes the browser
    * Flash of unstyled content: images load first before JavaScript replaces them
    * alt text is not preserved upon replacement
    * HTML right-click options are disabled
    * Incompatible with other JS libraries like Prototype or MooTools
    * Doesn’t work with hot-linked images because of security restrictions in Flash

 ;)
Logged

SaWey

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 1119
    • SaWey.be
Re: Thumb_Rotate plugin for cpg1.5.x
« Reply #3 on: January 07, 2009, 12:30:24 pm »

I wouldn't use their javascript but only the flash file, this should escape most of those problems
Logged

Timos-Welt

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 800
    • Timos-Welt
Re: Thumb_Rotate plugin for cpg1.5.x
« Reply #4 on: January 07, 2009, 02:04:43 pm »

Update to version 0.2.

Changes:
- possibility for image border
- better thumb quality
- a few code optimisations

@SaWey: Flashbased_Thumb_Rotate is a nice name for a new plugin, isn't it?  ;)
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
« Last Edit: April 27, 2009, 09:34:36 am by Joachim Müller »
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: Thumb_Rotate plugin for cpg1.5.x
« Reply #6 on: April 27, 2009, 09:34:18 am »

I had some time to kill and wanted to use the plugin for the gallery of a friend, so I went ahead and coded a config screen for the plugin (v0.3). I have edited my above download link and added the file to Timo's initial posting as well.

Joachim
Logged

Timos-Welt

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 800
    • Timos-Welt
Re: Thumb_Rotate plugin for cpg1.5.x
« Reply #7 on: April 27, 2009, 02:50:15 pm »

Absolutely great, Joachim! :) I love your version of the plugin, it's much more user-friendly, and the localisation is perfect in my eyes. I removed the old version from the first post, because there's no advantage in keeping it.

My GD isn't recognized as correct version (see screenshot of phpinfo), so your 'ignore wrong version' box was very useful when installing v0.3. I still simply wonder why anti-aliasing doesn't work at the bottom of the generated thumbnails; seems to me like a GD bug to be honest (it would make the images look a lot better).

best regards
Timo
« Last Edit: April 27, 2009, 03:13:04 pm by Timos-Welt »
Logged

Timos-Welt

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 800
    • Timos-Welt
Re: Thumb_Rotate plugin for cpg1.5.x
« Reply #8 on: April 27, 2009, 09:41:40 pm »

I've found the bug why anti-aliasing wasn't working at the bottom of the modified thumbs. Version 0.4 looks a lot nicer! :)
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15415
Re: Thumb_Rotate plugin for cpg1.5.x
« Reply #9 on: April 28, 2009, 11:14:08 am »

I haven't tested your plugin and I don't know if these points are still needed in the new versions:
Install
1. Unzip.
2. Open codebase.php with a text editor and change values for $maxdegree, $themebackcolor, $border and $brdcolor.
3. Upload folder thumb_rotate to the plugin folder of your gallery.
4. Make subfolder thumb_cache writable, this usually means CHMOD to 755 or 777.
5. Install via plugin manager.
'2.' should be configured during plugin installation (and the values stored in the database).
'4.' this can be done during the plugin installation, too, or am I wrong?

If these 2 points will be changed, the plugin can be installed completely via the plugin manager without file modifications.
Logged

Timos-Welt

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 800
    • Timos-Welt
Re: Thumb_Rotate plugin for cpg1.5.x
« Reply #10 on: April 28, 2009, 01:52:56 pm »

Removed 2. from the initial posting. Not longer neccessary after Joachim's additions.
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: Thumb_Rotate plugin for cpg1.5.x
« Reply #11 on: April 28, 2009, 04:04:12 pm »

Attached is version 0.5, which features some more functions. However, therer is no sanitization at all in the relevant file, so it could be abused for virtually any mischief. Don't use the plugin "live" - expect a new version soon to fix the security impact.

Changelog:
  0.4 to 0.5
    - removed image from plugin root that was added in error (resides in sub-folder "images")
    - improved version checking during install for GD version to avoid text in version string spoiling the result
    - changed cache path from folder within plugin path into sub-folder within edit folder, which should be writable out of the box
    - added display of amount of cached files
    - added option to empty cache
    - added farbtastic plugin (http://acko.net/dev/farbtastic)
    - added test to installer to check if cache folder is writable

Because of the impact of the security vulnerability I have temporarily disabled the plugin on the site I initially refered to as well to make sure nobody will attack it using the weakness. I recommend temporarily turning off the demo as well.

Joachim
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: Thumb_Rotate plugin for cpg1.5.x
« Reply #12 on: April 28, 2009, 04:56:16 pm »

Sometimes it helps if you don't start hacking away, but stop and think for a moment. Here's what I've come up with - please don't take this as criticism, but as a discussion in an effort to play code pong.
There are two major flaws that this plugin has:
1) the fact that the URL parameters for the call to http://example.com/gallery_folder/plugins/thumb_rotate/thumb_rotate.php contain so much sensitive information including paths and filenames that are hard to sanitize and easy to tamper with.
2) All thumbnails get stored within one folder, which will be no drama for 100 files, but it will become a problem for 1,000 files or 10,000 files.

The fix for problem #1 is easy: there's no reason why we have to pass all that sensitive data in the URL - we just need the file thumb_rotate.php (where the actual image calculation happens) aware of the data coppermine already "knows", then we can use what we already have: the picture ID (pid). For that, we don't call the file like this any longer http://example.com/gallery_folder/plugins/thumb_rotate/thumb_rotate.php?img=albums/userpics/10001/thumb_flower.jpg&deg=348&bg=EFEFEF&brd=10&path=albums&brdcol=A2DB14, but like this http://example.com/gallery_folder/index.php?file=thumb_rotate/thumb_rotate&pid=123
All the parameters that we need already are known if you invoke coppermine. From that point on, you just need to accomplish that.

The second problem (with all files being stored in a silly manner inside the cache folder) isn't that hard to solve neither: if storing all those files within one folder causes so much trouble, then let's just not do that. So, where could we store the rotated thumbnail instead? Sure, within the folder in which the orginal thumbnail resides in as well. In fact, we do the very identical thing when using the watermarking mod - we store another copy of each file with another prefix. For this purpose, the prefixes "rotate_left_" and "rotate_right_" come to mind (as we need to store two copies after all). So what do we do now: we could create those two extra copies when the orginal file get's uploaded and maybe even alter the admin tools to come up with a mass-creation routine, but that would be beyond the scope of a plugin. So what then? Well, let's use the best out of both worlds and create the rotated thumbs on the fly (when they are needed), but keep them permanently. Basically, the lookup already exists in the code - it just needs to be edited to make it look into the proper folder.
Now on to the last issue: the cached copies of the rotated thumbs get obsolete if the user changes one of the options, so how could we handle that? In the existing code, you renamed all files, adding the possible parameters to the file name. This would make things nearly impossible to maintain, so this is where the database comes into play: let's add a column to the pictures table during plugin install. Into that field (for each image record), we'll just store a flag "rotated thumbnail exists" (true/false). Whenever a rotated copy was created, that database field is being updated. Whenever the config for the plugin is changed and all rotated thumbails become obsolete, you just run a query to empty the entire column.

So, this is all doable. The question is: who (if at all) is going to code this? Please give me your thoughts on my proposals.

Joachim
Logged

Timos-Welt

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 800
    • Timos-Welt
Re: Thumb_Rotate plugin for cpg1.5.x
« Reply #13 on: April 28, 2009, 06:22:22 pm »

Thanks for your thoughts, I'm thinking about a solution for all the issues.

Another security flaw:
The plugin config page can be called and settings can be changed by any user without logging into the gallery:
http://link_to_gallery/index.php?file=thumb_rotate/index

A problem of version 0.5:
The cache folder at albums/edit/thumb_rotate_cache doesn't work for me. Somehow the folder has been created with permissions that don't allow me to do anything with it (see attached screenshot of Filezilla). The script isn't allowed to put any files into it. I can't even delete the folder on the server via FTP or change its permissions, it's stuck forever now. :(

regards
Timo
« Last Edit: April 28, 2009, 07:24:15 pm by Timos-Welt »
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15415
Re: Thumb_Rotate plugin for cpg1.5.x
« Reply #14 on: April 28, 2009, 07:12:07 pm »

The plugin config page can be called and settings can be changed by any user without logging into the gallery.
Just add
Code: [Select]
if (!GALLERY_ADMIN_MODE) cpg_die(ERROR, $lang_errors['access_denied'], __FILE__, __LINE__);to the top of the file.

A problem of version 0.5:
The cache folder at albums/edit/thumb_rotate_cache doesn't work for me. Somehow the folder has been created with permissions that don't allow me to do anything with it (see attached screenshot of Filezilla). The script isn't allowed to put any files into it. I can't even delete the folder on the server via FTP or change its permissions, it's stuck forever now. :(
You have to delete this folder with a php script, because you don't have the permission to delete the folder via ftp.
« Last Edit: April 29, 2009, 08:55:04 am by eenemeenemuu »
Logged

Timos-Welt

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 800
    • Timos-Welt
Re: Thumb_Rotate plugin for cpg1.5.x
« Reply #15 on: April 28, 2009, 07:28:20 pm »

@eenemeenemuu:
Thanks for the tip; just deleting it via php wasn't enough, I had to change the permissions via php first:
Code: [Select]
chmod('thumb_rotate_cache',0777);
*mopping the sweat out of my face*   ;)
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: Thumb_Rotate plugin for cpg1.5.x
« Reply #16 on: April 29, 2009, 07:30:33 am »

The use of this plugin is currently not secure. Please don't use it on any productive website!
Thanks for adding the warning. However, this sub-board currently isn't visible yet for the public, so there's little harm done. However, the cpg1.4.x-version of the plugin (http://forum.coppermine-gallery.net/index.php/topic,57469.0.html) is vulnerable as well, so you might want to review that as well. The good news is: the plugin flavors for cpg1.5.x and cpg1.4.x won't make a big difference, since there is no fancy regex-stuff going on in the sanitization (which might be a show-stopper for some plugins to be backported). So once we get this issue solved, we can easily address the same issue in cpg1.4.x and add the config section to it just as well.


*mopping the sweat out of my face*   ;)
Hehe, please review your config settings for Default mode for directories, because that's what is being used as mode toggle. I'll look this up in the core code to see how new folders are being created out of the box. I'll add that to v0.6 as well as the fix from eenemeenemuu regarding permissions (thanks!).
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: Thumb_Rotate plugin for cpg1.5.x
« Reply #17 on: April 29, 2009, 07:32:15 am »

Talking about releases: Do you both feel that you're ready for SVN write access? That would make development of this plugin much easier.
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15415
Re: Thumb_Rotate plugin for cpg1.5.x
« Reply #18 on: April 29, 2009, 08:03:07 am »

I'm not sure ;D
Everything I've done with svn yet is: checkout & commit without changes by other users in the meantime. I don't know which difficulties can occur, but I'm sure, that google knows the solution of occuring conflicts ;)
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: Thumb_Rotate plugin for cpg1.5.x
« Reply #19 on: April 29, 2009, 08:50:58 am »

I'll look this up in the core code to see how new folders are being created out of the box.
OK, I have to apologize: the lines
Code: [Select]
    is_dir(dirname($CONFIG['fullpath'] . 'edit/thumb_rotate_cache/')) || mkdir_recursive(dirname($CONFIG['fullpath'] . 'edit/thumb_rotate_cache/'), $CONFIG['default_dir_mode']);
    $result = is_dir($CONFIG['fullpath'] . 'edit/thumb_rotate_cache/') || @mkdir($CONFIG['fullpath'] . 'edit/thumb_rotate_cache/', $CONFIG['default_dir_mode']);
should actually have been
Code: [Select]
    is_dir(dirname($CONFIG['fullpath'] . 'edit/thumb_rotate_cache/')) || mkdir_recursive(dirname($CONFIG['fullpath'] . 'edit/thumb_rotate_cache/'), octdec($CONFIG['default_dir_mode']));
    $result = is_dir($CONFIG['fullpath'] . 'edit/thumb_rotate_cache/') || @mkdir($CONFIG['fullpath'] . 'edit/thumb_rotate_cache/', octdec($CONFIG['default_dir_mode']));
Logged
Pages: [1] 2 3   Go Up
 

Page created in 0.065 seconds with 22 queries.