Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: [Fixed]: Selecting private pics as a category thumbnail.  (Read 42826 times)

0 Members and 1 Guest are viewing this topic.

Nibbler

  • Guest
[Fixed]: Selecting private pics as a category thumbnail.
« on: February 04, 2009, 11:42:21 pm »

See http://forum.coppermine-gallery.net/index.php/topic,56992.0.html

Code in question is index.php

Code: [Select]
                if ($subcat['thumb'] > 0) {
                    $sql = "SELECT filepath, filename, url_prefix, pwidth, pheight " . "FROM {$CONFIG['TABLE_PICTURES']} " . "WHERE pid='{$subcat['thumb']}'" . $pic_filter;
                    $result = cpg_db_query($sql);
                    if (mysql_num_rows($result)) {
                        $picture = mysql_fetch_array($result);
                        mysql_free_result($result);
                        $pic_url = get_pic_url($picture, 'thumb');
                        if (!is_image($picture['filename'])) {
                            $image_info = getimagesize(urldecode($pic_url));
                            $picture['pwidth'] = $image_info[0];
                            $picture['pheight'] = $image_info[1];
                        }
                        $image_size = compute_img_size($picture['pwidth'], $picture['pheight'], $CONFIG['alb_list_thumb_size']);
                        $user_thumb = "<img src=\"" . $pic_url . "\" class=\"image\" {$image_size['geom']} border=\"0\" alt=\"\" />";
                        $user_thumb = "<a href=\"index.php?cat={$subcat['cid']}\">" . $user_thumb . "</a>";
                    }
                } else {
                    $user_thumb = "";
                }

That mysql_num_rows() check needs an else for the case of the category thumbnail failing the permission check added by $pic_filter. As it is now $user_thumb is kept around from the previous loop, and gets also indented each time.

I'm not sure if the real bug is being able to select such a thumbnail in the first place, but that's not readily fixable since permissions can of course be changed after the cat thumb is set.

I think we should either display no thumbnail or use the 'private icon', same as for albums.
« Last Edit: February 20, 2009, 12:15:24 am by Nibbler »
Logged

Joachim Müller

  • Dev Team member
  • Coppermine addict
  • ****
  • Offline Offline
  • Gender: Male
  • Posts: 47843
  • aka "GauGau"
    • gaugau.de
Re: Selecting private pics as a category thumbnail.
« Reply #1 on: February 05, 2009, 07:32:30 am »

I think we should either display no thumbnail or use the 'private icon', same as for albums.
I vote for option 1.
Logged

Nibbler

  • Guest
Re: Selecting private pics as a category thumbnail.
« Reply #2 on: February 20, 2009, 12:15:08 am »

Done.
Logged
Pages: [1]   Go Up
 

Page created in 0.023 seconds with 18 queries.