Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: Active Hyperlinks in Image Captions v1.3 - bbcode [url] alternative  (Read 22513 times)

0 Members and 1 Guest are viewing this topic.

Joe Carver

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1545
  • aka 'i-imagine'
    • Home Page

This plugin will allow users to add active hyperlinks in the Image Caption/Description field. The function make_clickable that is built into Coppermine is used to create the output of an active hyperlink. This is the same function used when Comments (with hyperlinks) are displayed.

Just enter the text of the hyperlink as a "www" or "http://" into the Image Description field. It will then be active and clickable when the image is displayed.

    Examples to use

          ++++++

    This can be an alternative for users who miss the bbcode links from older versions of Coppermine. This does not depend on bbcode at all. If you use bbcode [ u r l ] the link + plugin will not work (or be seen either!)
         
          ++++++

    The attached .zip(s) have revisions 1.2 - 1.3. Reports are welcome. Support will be very limited.

      Notes:
      • Words like "delete", "edit", etc will be stripped from the caption and hyperlink
      • Very long or complex URL's might not show
      • You cannot change the text showing the hyperlink
      • this is different than bbcode!


            ++++++

      - Version 1.2 - Recommended for single user galleries only
      Warning - Use at your own risk - see below - Version 1.2


      - Version 1.3 is recommended for most users
          
            ++++++

      To add hyperlinks in Image Titles - Version 1.2 ONLY has the option. Edit codebase.php where shown in the code and also shown in readme.txt file.
      « Last Edit: January 18, 2010, 05:28:28 pm by Joe Carver »
      Logged

      Joachim Müller

      • Dev Team member
      • Coppermine addict
      • ****
      • Offline Offline
      • Gender: Male
      • Posts: 47843
      • aka "GauGau"
        • gaugau.de
      Re: Active Hyperlinks in Image Captions
      « Reply #1 on: June 17, 2009, 07:29:40 pm »

      How did you circumvent the issues that lead to bbcode [ u r l ] getting disabled for security reasons?
      Logged

      Joe Carver

      • Dev Team member
      • Coppermine addict
      • ****
      • Country: us
      • Offline Offline
      • Gender: Male
      • Posts: 1545
      • aka 'i-imagine'
        • Home Page
      Re: Active Hyperlinks in Image Captions
      « Reply #2 on: June 17, 2009, 07:41:59 pm »

      When someone posted about hyperlinks being displayed in Comments  I looked around a little and found the function
      make_clickable in functions.inc.php. Like the SMF forum here it takes the text and converts it on output.
      Yesterday it started as a mod. and I found the plugin hook at the exact spot where I was modding the theme.

      At the moment I am assuming that the function might be called elsewhere and that there might be troubles with this if the links are too long or complex.

       Since I am about to repost with a version 1.1 that also affects images titles your  opinion is greatly appreciated.

      Joachim Müller

      • Dev Team member
      • Coppermine addict
      • ****
      • Offline Offline
      • Gender: Male
      • Posts: 47843
      • aka "GauGau"
        • gaugau.de
      Re: Active Hyperlinks in Image Captions
      « Reply #3 on: June 17, 2009, 08:54:49 pm »

      Let me rephrase: how do you make sure that the hyperlinks posted by visitors are not being abused. Did you read the announcement thread "cpg1.4.21 Security release - upgrade mandatory!" and the threads refered to in that thread? That announcement thread explains why bbcode parsing has been disabled for the tags [url] and [ i m g ]. Simply ignoring the vulnerability that lead to the release of cpg1.4.21 and re-enabling the [ u r l ] tag is silly and dangerous. So please answer my question: what have you done to make sure that the vulnerabilities do not apply any longer?
      Logged

      Joe Carver

      • Dev Team member
      • Coppermine addict
      • ****
      • Country: us
      • Offline Offline
      • Gender: Male
      • Posts: 1545
      • aka 'i-imagine'
        • Home Page
      Re: Active Hyperlinks in Image Captions
      « Reply #4 on: June 17, 2009, 09:08:00 pm »

      The links are not done via bbcode. The function make_clickable is also used in displayimage.php and themes.inc.php for the user name and for the comment display. (<!--Coppermine Photo Gallery 1.4.23 (stable)-->)

      Function make_clickable will add <a href=....... to input that leads with www , http., etc

      I assumed that input tagged with bbcode would be filtered by db_input.php to the point that this action/plugin would result in a non-functional link.

      As far as users abusing the availability of space to post bad/spam links, I take that now as a fact of life.....

      Is there any danger if Coppermine is accepting and then translating a link like this? http://forum.coppermine-gallery.net/   (the link was not wrapped with a url tag on posting)

      Joachim Müller

      • Dev Team member
      • Coppermine addict
      • ****
      • Offline Offline
      • Gender: Male
      • Posts: 47843
      • aka "GauGau"
        • gaugau.de
      Re: Active Hyperlinks in Image Captions
      « Reply #5 on: June 17, 2009, 09:15:47 pm »

      Is there any danger if Coppermine is accepting and then translating a link like this? http://forum.coppermine-gallery.net/   (the link was not wrapped with a url tag on posting)
      Yes, of course: that's why bbcode tags for links have been disabled. That's why I wanted you to read about the vulnerability. Your plugin is well-meant, but not acceptable, as it opens a serious security problem. Moving.

      @all: do not use this plugin
      Logged

      Joe Carver

      • Dev Team member
      • Coppermine addict
      • ****
      • Country: us
      • Offline Offline
      • Gender: Male
      • Posts: 1545
      • aka 'i-imagine'
        • Home Page
      Re: Active Hyperlinks in Image Captions
      « Reply #6 on: June 17, 2009, 09:24:53 pm »

      So if that is the case then is the default behavior of Coppermine as regards Comment input and display a risk for users? The plugin uses the exact same code with the same availability for user input unless I have missed something.

      Thanks

       

      phill104

      • Administrator
      • Coppermine addict
      • *****
      • Country: gb
      • Offline Offline
      • Gender: Male
      • Posts: 4885
        • Windsurf.me
      Re: Active Hyperlinks in Image Captions
      « Reply #7 on: June 17, 2009, 10:01:48 pm »

      You might have missed something. Links in comments have been disabled for some time now du to the security problem. See the thread Joachim linked to.
      Logged
      It is a mistake to think you can solve any major problems just with potatoes.

      Joe Carver

      • Dev Team member
      • Coppermine addict
      • ****
      • Country: us
      • Offline Offline
      • Gender: Male
      • Posts: 1545
      • aka 'i-imagine'
        • Home Page
      Re: Active Hyperlinks in Image Captions
      « Reply #8 on: June 17, 2009, 10:31:03 pm »

      @ Phil,

      I have just made this test - perhaps I am mistaken but it was possible to create an active link in a comment. If not, please inform.

      1) Coppermine Photo Gallery 1.4.23
      2) Classic theme (so it should run from themes.inc.php) no influences from anything other than SEF url and LightBox plugins. My plugin also removed. Also used clean copy of db_input.php (removing captcha mod.)
      3) Enter comment text such as www.coppermine-gallery.net - DO NOT USE BBCODE - just type www.....
      4) Text becomes clickable link

      This was touched on in this thread's exchange
      Yes, I just tried on your site, and I can leave a live link as a comment.  All I did was type www.google.com as my comment, and this was converted into a live link (I deleted the comment as requested).

      Graham

      That thread is where I got the idea for using the same function built into Coppermine. It is still there (the function, that is)

      (edited for clarity)
      The code in themes.inc.php is
      Code: [Select]
      $comment_body = make_clickable($row['msg_body']);
      make_clickable is in functions.inc.php

      Again - this does not use bbcode.
      « Last Edit: June 18, 2009, 01:41:04 am by i-imagine »
      Logged

      Joachim Müller

      • Dev Team member
      • Coppermine addict
      • ****
      • Offline Offline
      • Gender: Male
      • Posts: 47843
      • aka "GauGau"
        • gaugau.de
      Re: Active Hyperlinks in Image Captions
      « Reply #9 on: June 18, 2009, 09:22:39 am »

      I already told you that it's irrelevant how the link was generated. Do not allow your visitors to create links in one way or the other. The comments should indeed not be piped through make_clickable, that's true.
      Logged

      Joe Carver

      • Dev Team member
      • Coppermine addict
      • ****
      • Country: us
      • Offline Offline
      • Gender: Male
      • Posts: 1545
      • aka 'i-imagine'
        • Home Page
      Re: Active Hyperlinks in Image Captions
      « Reply #10 on: June 18, 2009, 01:24:54 pm »

      OK, a warning has now been posted to the announcement. No further updates will be made.

      [off topic] I now get the impression that comments should be turned off and/or that themes.inc.php should get
          a touch of modification until the next release unless there is a better alternative.

      The comments should indeed not be piped through make_clickable, that's true.

      [/off topic]

      Joachim Müller

      • Dev Team member
      • Coppermine addict
      • ****
      • Offline Offline
      • Gender: Male
      • Posts: 47843
      • aka "GauGau"
        • gaugau.de
      Re: Active Hyperlinks in Image Captions
      « Reply #11 on: June 18, 2009, 02:45:28 pm »

      Indeed: comments should be turned off.
      Logged

      Joe Carver

      • Dev Team member
      • Coppermine addict
      • ****
      • Country: us
      • Offline Offline
      • Gender: Male
      • Posts: 1545
      • aka 'i-imagine'
        • Home Page
      Re: Active Hyperlinks in Image Captions v1.3
      « Reply #12 on: September 30, 2009, 10:24:34 pm »

      Release of Version 1.3
      Maintenance - Security Release

        Changes in this version
        • Add filter for words that are specific to Coppermine files/actions
        • "delete", "edit", etc. are stripped from hyperlink, making it harmless
        • Re-package, re-name to Coppermine plugin standards


        Version 1.3 now attached to original post.
        « Last Edit: October 01, 2009, 05:57:37 pm by i-imagine »
        Logged
        Pages: [1]   Go Up
         

        Page created in 0.026 seconds with 20 queries.