forum.coppermine-gallery.net
Support => cpg1.4 plugins => cpg1.4.x Support => Older/other versions => cpg1.4 plugin contributions => Topic started by: Joe Carver on June 17, 2009, 04:25:59 pm
-
This plugin will allow users to add active hyperlinks in the Image Caption/Description field. The function make_clickable that is built into Coppermine is used to create the output of an active hyperlink. This is the same function used when Comments (with hyperlinks) are displayed.
Just enter the text of the hyperlink as a "www" or "http://" into the Image Description field. It will then be active and clickable when the image is displayed.
Examples to use
- http://coppermine-gallery.net/
- www.coppermine-gallery.net/
- http://www.coppermine-gallery.net/
- DO NOT use bbcode [ u r l ]
- DO NOT use bbcode [ i m g ]
++++++
This can be an alternative for users who miss the bbcode links from older versions of Coppermine. This does not depend on bbcode at all. If you use bbcode [ u r l ] the link + plugin will not work (or be seen either!)
++++++
The attached .zip(s) have revisions 1.2 - 1.3. Reports are welcome. Support will be very limited.
Notes:
- Words like "delete", "edit", etc will be stripped from the caption and hyperlink
- Very long or complex URL's might not show
- You cannot change the text showing the hyperlink
- this is different than bbcode!
++++++
- Version 1.2 - Recommended for single user galleries only
Warning - Use at your own risk - see below - Version 1.2
- Version 1.3 is recommended for most users
++++++
To add hyperlinks in Image Titles - Version 1.2 ONLY has the option. Edit codebase.php where shown in the code and also shown in readme.txt file.
-
How did you circumvent the issues that lead to bbcode [ u r l ] getting disabled for security reasons?
-
When someone posted about hyperlinks being displayed in Comments I looked around a little and found the function
make_clickable in functions.inc.php. Like the SMF forum here it takes the text and converts it on output.
Yesterday it started as a mod. and I found the plugin hook at the exact spot where I was modding the theme.
At the moment I am assuming that the function might be called elsewhere and that there might be troubles with this if the links are too long or complex.
Since I am about to repost with a version 1.1 that also affects images titles your opinion is greatly appreciated.
-
Let me rephrase: how do you make sure that the hyperlinks posted by visitors are not being abused. Did you read the announcement thread "cpg1.4.21 Security release - upgrade mandatory! (http://forum.coppermine-gallery.net/index.php/topic,58309.0.html)" and the threads refered to in that thread? That announcement thread explains why bbcode parsing has been disabled for the tags [url] and [ i m g ]. Simply ignoring the vulnerability that lead to the release of cpg1.4.21 and re-enabling the [ u r l ] tag is silly and dangerous. So please answer my question: what have you done to make sure that the vulnerabilities do not apply any longer?
-
The links are not done via bbcode. The function make_clickable is also used in displayimage.php and themes.inc.php for the user name and for the comment display. (<!--Coppermine Photo Gallery 1.4.23 (stable)-->)
Function make_clickable will add <a href=....... to input that leads with www , http., etc
I assumed that input tagged with bbcode would be filtered by db_input.php to the point that this action/plugin would result in a non-functional link.
As far as users abusing the availability of space to post bad/spam links, I take that now as a fact of life.....
Is there any danger if Coppermine is accepting and then translating a link like this? http://forum.coppermine-gallery.net/ (the link was not wrapped with a url tag on posting)
-
Is there any danger if Coppermine is accepting and then translating a link like this? http://forum.coppermine-gallery.net/ (the link was not wrapped with a url tag on posting)
Yes, of course: that's why bbcode tags for links have been disabled. That's why I wanted you to read about the vulnerability. Your plugin is well-meant, but not acceptable, as it opens a serious security problem. Moving.
@all: do not use this plugin
-
So if that is the case then is the default behavior of Coppermine as regards Comment input and display a risk for users? The plugin uses the exact same code with the same availability for user input unless I have missed something.
Thanks
-
You might have missed something. Links in comments have been disabled for some time now du to the security problem. See the thread Joachim linked to.
-
@ Phil,
I have just made this test - perhaps I am mistaken but it was possible to create an active link in a comment. If not, please inform.
1) Coppermine Photo Gallery 1.4.23
2) Classic theme (so it should run from themes.inc.php) no influences from anything other than SEF url and LightBox plugins. My plugin also removed. Also used clean copy of db_input.php (removing captcha mod.)
3) Enter comment text such as www.coppermine-gallery.net - DO NOT USE BBCODE - just type www.....
4) Text becomes clickable link
This was touched on in this thread's exchange
Yes, I just tried on your site, and I can leave a live link as a comment. All I did was type www.google.com as my comment, and this was converted into a live link (I deleted the comment as requested).
Graham
That thread is where I got the idea for using the same function built into Coppermine. It is still there (the function, that is)
(edited for clarity)
The code in themes.inc.php is
$comment_body = make_clickable($row['msg_body']);
make_clickable is in functions.inc.php
Again - this does not use bbcode.
-
I already told you that it's irrelevant how the link was generated. Do not allow your visitors to create links in one way or the other. The comments should indeed not be piped through make_clickable, that's true.
-
OK, a warning has now been posted to the announcement. No further updates will be made.
[off topic] I now get the impression that comments should be turned off and/or that themes.inc.php should get
a touch of modification until the next release unless there is a better alternative.
The comments should indeed not be piped through make_clickable, that's true.
[/off topic]
-
Indeed: comments should be turned off.
-
Release of Version 1.3
Maintenance - Security Release
Changes in this version
- Add filter for words that are specific to Coppermine files/actions
- "delete", "edit", etc. are stripped from hyperlink, making it harmless
- Re-package, re-name to Coppermine plugin standards
Version 1.3 now attached to original post.