Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: No News?  (Read 4515 times)

0 Members and 1 Guest are viewing this topic.

sah62

  • Coppermine newbie
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 19
    • Mustang 428 Cobra Jet Registry
No News?
« on: February 05, 2016, 03:08:50 am »

I'm not seeing any Coppermine project news in my gallery's news header. Is the source feed not working, or is something broken with my installation?
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15765
Re: No News?
« Reply #1 on: February 05, 2016, 08:57:33 am »

Works as expected in my gallery.
Logged

sah62

  • Coppermine newbie
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 19
    • Mustang 428 Cobra Jet Registry
Re: No News?
« Reply #2 on: February 05, 2016, 11:53:04 am »

So you're currently not seeing any news either?
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15765
Re: No News?
« Reply #3 on: February 05, 2016, 11:57:45 am »

I can see the news in my gallery. What's displayed for you if you open that page: http://coppermine-gallery.net/cpg15x_news.htm ? It should display:
Quote
    2015-11-18: cpg1.5.40 has been released. It's a maintenance release which fixes various issues.
    2015-08-13: cpg1.5.38 has been released. It's a maintenance release which fixes various issues.
    2015-05-07: cpg1.5.36 has been released. It's a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.34 or older update to this latest version as soon as possible.
Logged

sah62

  • Coppermine newbie
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 19
    • Mustang 428 Cobra Jet Registry
Re: No News?
« Reply #4 on: February 05, 2016, 04:47:56 pm »

Yes, I can see that when retrieving the HTMl file directly. Looking at the source code, though, I see this:

Code: [Select]
        // Try to retrieve the news directly
        //$result = cpgGetRemoteFileByURL('http://coppermine-gallery.net/cpg15x_news.htm', 'GET', '', '200'); // disabled, see http://forum.coppermine-gallery.net/index.php/topic,65424.msg325573.html#msg325573

        if (strlen($result['body']) < 200) { // retrieving the file failed - let's display it in an iframe then
            print <<< EOT
                      <iframe src="http://coppermine-gallery.net/cpg15x_news.htm" align="left" frameborder="0" scrolling="auto" marginheight="0" marginwidth="0" width="100%" height="100" name="coppermine_news" id="coppermine_news" class="textinput">
                        {$lang_version_alert['no_iframe']}
                      </iframe>
EOT;
        } else { // we have been able to retrieve the remote URL, let's chop the unneeded data and then display it
            unset($result['headers']);
            unset($result['error']);
            // drop everything before the starting body-tag
            //$result['body'] = substr($result['body'], strpos($result['body'], '<body>'));
            $result['body'] = strstr($result['body'], '<body>');
            // drop the starting body tag itself
            $result['body'] = str_replace('<body>', '', $result['body']);
            // drop the ending body tag and everything after it
            $result['body'] = str_replace(strstr($result['body'], '</body>'), '', $result['body']);
            // The result should now contain everything between the body tags - let's print it
            print $result['body'];
        }

Notice that "$result = cpgGetRemoteFileByURL" is commented out. I uncommented that line and now the news appears as it should.
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15765
Re: No News?
« Reply #5 on: February 05, 2016, 05:42:07 pm »

Please note the additional comment:
Quote
// disabled, see http://forum.coppermine-gallery.net/index.php/topic,65424.msg325573.html#msg325573
Logged

sah62

  • Coppermine newbie
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 19
    • Mustang 428 Cobra Jet Registry
Re: No News?
« Reply #6 on: February 05, 2016, 06:10:29 pm »

I saw that. How does the value of $result and $result['body'] get set without the call to cpgGetRemoteFileByURL() being made? There are no other assignments to that variable in function cpg_alert_dev_version() prior to the line that was commented out.
Logged

sah62

  • Coppermine newbie
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 19
    • Mustang 428 Cobra Jet Registry
Re: No News?
« Reply #7 on: February 05, 2016, 06:26:57 pm »

I think I see what's going on here. I commented out that line again and loaded my gallery into the latest versions of Chrome and Firefox. In each case the news was missing, and in each case I see this in the HTML source:

Quote
Your browser cannot display inline frames

It seems to work just fine with IE 11. Anyway, it looks like an issue with the way some browsers display iframes.
Logged

sah62

  • Coppermine newbie
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 19
    • Mustang 428 Cobra Jet Registry
Re: No News?
« Reply #8 on: February 05, 2016, 08:15:19 pm »

Even more info: I use TLS and https for my gallery. The URL in the source code (http://coppermine-gallery.net/cpg15x_news.htm) uses http, not https, and some browsers will block "insecure" or mixed content if the site uses TLS.

Possible fixes (probably not a complete list):

Remove the code comment as I noted above. This might not be optimal for reasons noted in the thread described above, but it causes the code to parse the news information and render it without using an iframe.

Add support for TLS/https to coppermine-gallery.net and modify the code to recognize when the source for the iframe should also use TLS/https.

Use a browser that doesn't omit mixed content. This has security implications, though.

Anyway, I hope this helps anyone who runs into the same issue.
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15765
Re: No News?
« Reply #9 on: February 08, 2016, 11:39:00 am »

Thanks for your effort. IMHO the only option is:
Add support for TLS/https to coppermine-gallery.net and modify the code to recognize when the source for the iframe should also use TLS/https.

I'll see what we can do.
Logged
Pages: [1]   Go Up
 

Page created in 0.022 seconds with 20 queries.