Advanced search  

News:

cpg1.5.46 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter recently discovered vulnerabilities. It is important that all users who run version cpg1.5.44 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: [Fixed]: Selecting private pics as a category thumbnail.  (Read 29921 times)

0 Members and 1 Guest are viewing this topic.

Nibbler

  • Guest
[Fixed]: Selecting private pics as a category thumbnail.
« on: February 04, 2009, 11:42:21 pm »

See http://forum.coppermine-gallery.net/index.php/topic,56992.0.html

Code in question is index.php

Code: [Select]
                if ($subcat['thumb'] > 0) {
                    $sql = "SELECT filepath, filename, url_prefix, pwidth, pheight " . "FROM {$CONFIG['TABLE_PICTURES']} " . "WHERE pid='{$subcat['thumb']}'" . $pic_filter;
                    $result = cpg_db_query($sql);
                    if (mysql_num_rows($result)) {
                        $picture = mysql_fetch_array($result);
                        mysql_free_result($result);
                        $pic_url = get_pic_url($picture, 'thumb');
                        if (!is_image($picture['filename'])) {
                            $image_info = getimagesize(urldecode($pic_url));
                            $picture['pwidth'] = $image_info[0];
                            $picture['pheight'] = $image_info[1];
                        }
                        $image_size = compute_img_size($picture['pwidth'], $picture['pheight'], $CONFIG['alb_list_thumb_size']);
                        $user_thumb = "<img src=\"" . $pic_url . "\" class=\"image\" {$image_size['geom']} border=\"0\" alt=\"\" />";
                        $user_thumb = "<a href=\"index.php?cat={$subcat['cid']}\">" . $user_thumb . "</a>";
                    }
                } else {
                    $user_thumb = "";
                }

That mysql_num_rows() check needs an else for the case of the category thumbnail failing the permission check added by $pic_filter. As it is now $user_thumb is kept around from the previous loop, and gets also indented each time.

I'm not sure if the real bug is being able to select such a thumbnail in the first place, but that's not readily fixable since permissions can of course be changed after the cat thumb is set.

I think we should either display no thumbnail or use the 'private icon', same as for albums.
« Last Edit: February 20, 2009, 12:15:24 am by Nibbler »
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47844
  • aka "GauGau"
    • gaugau.de
Re: Selecting private pics as a category thumbnail.
« Reply #1 on: February 05, 2009, 07:32:30 am »

I think we should either display no thumbnail or use the 'private icon', same as for albums.
I vote for option 1.
Logged

Nibbler

  • Guest
Re: Selecting private pics as a category thumbnail.
« Reply #2 on: February 20, 2009, 12:15:08 am »

Done.
Logged
Pages: [1]   Go Up
 

Page created in 0.014 seconds with 19 queries.