Advanced search  

News:

cpg1.5.46 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter recently discovered vulnerabilities. It is important that all users who run version cpg1.5.44 or older update to this latest version as soon as possible.
[more]

Pages: 1 [2]   Go Down

Author Topic: Mask URL Plugin for CPG 1.5.x  (Read 12617 times)

0 Members and 1 Guest are viewing this topic.

gmc

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 723
    • GMC Design Photo Gallery
Re: Mask URL Plugin for CPG 1.5.x
« Reply #20 on: April 22, 2015, 06:41:03 pm »

The thumbnails are displayed in one go however the full size is not. This starts after 'enlarging' the second and consecutive pictures.
I can't reproduce your issue this time...
I've tried with/without EnlargeIt... going from thumb to intermediate to fullize... browser back from intermediate to thumb... choosing another thumb to view... using both Encrypt, and Dynamic IV - with no failures...

With Dynamic IV and 'internal' (ie - not 'external') URLs - I cannot right click on an image and say 'view image' - but that isn't Coppermine functionality...

If you can share your config options, any relevant plugins, and how you create the error - I'd be happy to look further..
Logged
Thanks!
Greg
My Coppermine Gallery
Need a web hosting account? See my gallery for an offer for CPG Forum users.
Send me money

marcelm

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 60
Re: Mask URL Plugin for CPG 1.5.x
« Reply #21 on: April 22, 2015, 10:08:58 pm »

Solved the problem with the second or third picture not being displayed. It the entl_cnt.php file that is advised by Timo to put in the root (plugins/enlargeit/sub-dir CopyToRoot) where the other php files are. I put it in there as advised because a time ago I saw this one cropping up into the log files.

On second thought it could be obsolete in Coppermine 1.5.x and I have to check it by downloading the latest version. I noticed that in the enl_*.php files the Coppermine version is 1.4.x

Code: [Select]
x.x.x.x - - [22/Apr/2015:21:49:12 +0200] "GET /plugins/maskurl/displayimage.php?photokey=YtvJTbYpREEKfV6yz5Amoq4%2F83baHifyjFev4OyLn6cipjyqopJCZDECcFVF1V78OX580QlUUf1spl7mDA%3D%3D HTTP/1.1" 200 250849 "http://site.nl/plugins/maskurl/displayimage.php?photokey=YtvJTbYpREEKfV6yz5Amoq4%2F83baHifyjFev4OyLn6cipjyqopJCZDECcFVF1V78OX580QlUUf1spl7mDA%3D%3D" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:39.0) Gecko/20100101 Firefox/39.0"
x.x.x.x - - [22/Apr/2015:21:49:14 +0200] "GET /plugins/maskurl/displayimage.php?photokey=YtvJTbYpREEKfV6yz5Amoq4%2F83baHifyjFev4OyLn6cipjyqopJCZDECcFVF1V78OX580QlUVoCFjelAVw%3D%3D HTTP/1.1" 200 237390 "http://site.nl/plugins/maskurl/displayimage.php?photokey=YtvJTbYpREEKfV6yz5Amoq4%2F83baHifyjFev4OyLn6cipjyqopJCZDECcFVF1V78OX580QlUVoCFjelAVw%3D%3D" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:39.0) Gecko/20100101 Firefox/39.0"
x.x.x.x - - [22/Apr/2015:21:49:14 +0200] "GET /enl_cnt.php?a=4899 HTTP/1.1" 200 - "http://site.nl/enl_cnt.php?a=4899" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:39.0) Gecko/20100101 Firefox/39.0"
x.x.x.x - - [22/Apr/2015:21:49:19 +0200] "GET /plugins/maskurl/displayimage.php?photokey=YtvJTbYpREEKfV6yz5Amoq4%2F83baHifyjFev4OfZoEOA5PUcCOweKO4Z2a7UQd5U2Lc%3D HTTP/1.1" 200 - "http://site.nl/plugins/maskurl/displayimage.php?photokey=YtvJTbYpREEKfV6yz5Amoq4%2F83baHifyjFev4OfZoEOA5PUcCOweKO4Z2a7UQd5U2Lc%3D" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:39.0) Gecko/20100101 Firefox/39.0"
x.x.x.x - - [22/Apr/2015:21:49:19 +0200] "GET /enl_cnt.php?a=4898 HTTP/1.1" 200 - "http://site.nl/enl_cnt.php?a=4898" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:39.0) Gecko/20100101 Firefox/39.0"
x.x.x.x - - [22/Apr/2015:21:49:22 +0200] "GET /plugins/maskurl/displayimage.php?photokey=YtvJTbYpREEKfV6yz5Amoq4%2F83baHifyjFev4OfZoEOA5PUcCOweKO4Z2a7UQd5U2Lc%3D HTTP/1.1" 200 - "http://site.nl/plugins/maskurl/displayimage.php?photokey=YtvJTbYpREEKfV6yz5Amoq4%2F83baHifyjFev4OfZoEOA5PUcCOweKO4Z2a7UQd5U2Lc%3D" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:39.0) Gecko/20100101 Firefox/39.0"

On the first picture you see two lines using displayimage.php and on picture two and three you see enl_cnt.php being called first.

Always nice riddles and due to the excellent logging system, just reading gives a lot of insight and help. It also helps to have a break so you have new ideas were to look and how to test.  :D
Logged

marcelm

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 60
Re: Mask URL Plugin for CPG 1.5.x
« Reply #22 on: April 22, 2015, 11:22:07 pm »

hmmmmmm, bit tired and doing things at the same time is no good. So some corrections on my previous posting.

First line I write 'entl_cnt.php' and that should have been 'enl_cnt.php'
Last line, Always nice those riddles, thanks to the excellent logging system. Just reading the log gives a lot of insight and help so that even I can make heads and tails of it...most of the time. It also helps to take a break if you have to solve a problem so that you have new ideas were to look and how to test better. Often the solution is just sitting in front of you. You just not see it, when you are to fixated and did the same test over and over and over to no avail.  ;)

I am very please with the plug-in and hope that others are going to use it now.
Logged

marcelm

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 60
Re: Mask URL Plugin for CPG 1.5.x
« Reply #23 on: April 24, 2015, 11:23:30 pm »

Dutch translation added.
Logged

marcelm

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 60
Re: Mask URL Plugin for CPG 1.5.x
« Reply #24 on: April 24, 2015, 11:50:47 pm »

To solve my errorlog being filled up with messages about enl_cnt.php in I changed the counter setting in EnlargeIt:

File: codebase.php in EnlargeIt plugin directory

Find: enl_usecounter and change it to 0

Code: [Select]
// disable counter by setting "enl_usecounter to 0 this is for using the Mask URL plugin with Dynamic IV
    $enlargeit_headcode .= "enl_usecounter = 0;
    ";
    $enlargeit_headcode .= "enl_counterurl = 'enl_cnt.php?a=';
    ";
Logged

marcelm

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 60
Re: Mask URL Plugin for CPG 1.5.x
« Reply #25 on: April 25, 2015, 12:04:52 am »

I found a problem with Dynamic IV. When browsing through pages Dynamic IV block itself when you use history-1/backspace the encrypted string has become invalid for Mask URL. The browser just servers the cached page.

After doing a reload/pressing F5 all encrypted strings are generated again and all is fine again.
Logged

gmc

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 723
    • GMC Design Photo Gallery
Re: Mask URL Plugin for CPG 1.5.x
« Reply #26 on: April 25, 2015, 03:28:33 am »

Dutch translation added.
Thank you!  I will include in the next package.

I found a problem with Dynamic IV. When browsing through pages Dynamic IV block itself when you use history-1/backspace the encrypted string has become invalid for Mask URL. The browser just servers the cached page.

After doing a reload/pressing F5 all encrypted strings are generated again and all is fine again.
Well - the tighter the security, the more things will get caught...
I can't recreate what you are seeing - the only time I see an error (non-displayed image) is at times trying to right click and view image - which is going outside Coppermine...  Even use of my browser's Back button hasn't caused additional errors.
Perhaps another plugin getting in the way?
Let me know the details of what other plugins you use and exactly how you get the error - and I will look into it.

I think with the combination of options available, an appropriate balance can be found by someone wishing to use this.
The mask/encryption options combined with the URL options give a variety of choices.
And if not - I welcome ideas for additional choices (Dynamic IV being one of them I added at other's suggestion...)

Logged
Thanks!
Greg
My Coppermine Gallery
Need a web hosting account? See my gallery for an offer for CPG Forum users.
Send me money

marcelm

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 60
Re: Mask URL Plugin for CPG 1.5.x
« Reply #27 on: April 25, 2015, 11:36:29 am »

It is not that difficult to reproduce. Install EnlargeIt and go the last uploads. You get a display of thumbnails and go to the next page. When you use the back key to the previous it page will be displayed from cache and the strings are already invalid on the servers because the page was not reloaded.

I am using EnlargeIt, html5slider, slider and linktarget
Logged

gmc

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 723
    • GMC Design Photo Gallery
Re: Mask URL Plugin for CPG 1.5.x
« Reply #28 on: April 26, 2015, 04:08:12 am »

Interesting... I wasn't able to recreate the issue with Firefox - or with the browser on a WebOS device...  I tried Chrome and can see the issue - and same with Android browser (running lollipop).
Seems the browsers handle 'Back' processing differently. 
Firefox appears to restore the cookie values as part of 'Back' processing? or is reloading the page?

(Using 'Encryption' instead of 'Encryption with Dynamic IV' won't have this issue... I'll add a script that can be used via cron to change keys once a day as an alternative for something 'in between'...)

May have to find a way to force a page reload on 'Back' processing... Could be doable via javascript or header Cache Control like:
header("Cache-Control: no-store").. Have to see if either of these will help - and best way to implement...
Logged
Thanks!
Greg
My Coppermine Gallery
Need a web hosting account? See my gallery for an offer for CPG Forum users.
Send me money

marcelm

  • Coppermine regular visitor
  • **
  • Offline Offline
  • Posts: 60
Re: Mask URL Plugin for CPG 1.5.x
« Reply #29 on: April 26, 2015, 10:47:33 am »

If I get it right Encytion is refreshed when I prees submit in the MaskURL page. Dynamic IV is every loaded page. So why not refresh on start of a session.

Each time I visit the website I get a new encryption. Someone can share the picture as long as the browser session is active. If you want to limit the duration of the exposure you can refresh every so minutes after start of the start of the session.

The administrator of the website can choose then for session or for session plus encryption.
Logged

gmc

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 723
    • GMC Design Photo Gallery
Re: Mask URL Plugin for CPG 1.5.x
« Reply #30 on: April 26, 2015, 05:48:41 pm »

If I get it right Encytion is refreshed when I prees submit in the MaskURL page. Dynamic IV is every loaded page.
With the first 'Encrypt URL' option, the keys are refreshed when the plugin is installed - and anytime you 'Submit' configuration changes with 'Refresh Encryption Keys' checked...
With the 'Dynamic IV option, one component is regenerated on every page load that drives true Coppermine initialization (use of 'external urls' bypasses this for some displays - allowing plugins like EnlargeIt to still function... but every Coppermine page load will still refresh keys.)

Quote
So why not refresh on start of a session.
Each time I visit the website I get a new encryption. Someone can share the picture as long as the browser session is active. If you want to limit the duration of the exposure you can refresh every so minutes after start of the start of the session.
I like the idea... Working on it...

Quote
The administrator of the website can choose then for session or for session plus encryption.
And that is the whole idea - admin's choice for what level of complexity (and overhead) they want to use.
Logged
Thanks!
Greg
My Coppermine Gallery
Need a web hosting account? See my gallery for an offer for CPG Forum users.
Send me money
Pages: 1 [2]   Go Up
 

Page created in 0.018 seconds with 22 queries.