Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Re: Create images page with captions
It works very nicely, Oleg, and everybody. Your combined efforts and help are now summarised as a TXP Tip.
The cookie is simply used for passing the original thumbnail page to the Photos section so that, when moving through the images, the visitor can return directly to original thumbs page from any point. Original thumbs page is one of many articles which just happen to have thumbs on them. The Photos page does not contain permanent images, so you can’t navigate the Photos section, you just get a blank page. It just displays images when adi_gps grabs them from the url sent from a thumbs page.
etc_query looks like a great coder’s tool but for the likes of me, to whom most of this is rocket science, it’s a bit too advanced! But I’ll certainly keep it in mind when I need to do a bit of coding next time. Thanks again for the help and providing that very neat solution to my problem.
Offline
Re: Create images page with captions
zero wrote:
It works very nicely, Oleg, and everybody. Your combined efforts and help are now summarised as a TXP Tip.
Nice, nice. There is just that tiny problem with that Tip and provided code. Security. Anyone using that will be in big danger.
That Tip just happens have various security vulnerabilities, caused due to missing escaping and sanitation. Using the code basically allows an attacker remotely inject and execute any server side code on the server, giving the attacker full access to the server.
The main bad part I’m referring to is this, the back link mentioned in the tip:
<a href="<txp:php> echo $_SERVER['HTTP_REFERER'];</txp:php>">Back</a>For example, one can send a HTTP package to the server that contains a referrer header populated with <txp:php> safe_delete('textpattern', '1=1'); </txp:php>. The server and Textpattern takes the code and all site’s articles are deleted. Even if the output was escaped, you are still adding something coming directly from the client to the page and using it as a link. What if the referrer points to porn site or a payload?
Then there is this:
<txp:php>$expire=time()+60*60*1*1;$page_url = $_SERVER['REQUEST_URI'];
setcookie("richtea", $page_url, $expire,"/photos/","mysite.com");</txp:php>Which does the same thing. It takes an value directly from the client and creates a cookie based on it. What if someone links to the page using ?asshole append to the page’s real location. Well, now the user has an cookie on his system with an “asshole” in it.
Last edited by Gocom (2012-06-09 15:33:13)
Offline
Offline
Re: Create images page with captions
zero wrote:
Aaarrrggghhhh! So how do I fix that, Jukka?
I’ve updated my previous post (I suppose I’m one of those that never finishes their posts). There just are some practical issues with the thing; trusting and using information provided by client and all that.
The biggest issue, which is the remote injection, can be cured by running everything coming from the client, including HTTP headers as referrer (the back link), with htmlspecialchars() or the appropriate sanitizer given the situation.
As the previous page (referer) and landing page goes (cookie’s request URI) go, I would try to find some other way of getting those values. By using the current image ID as the starting point for example, and then using that information to calculate the appropriate page locations, or something like that. Using information from client directly isn’t a good idea. You can use it for comparisons and fetching stuff, but placing it directly to your page template is not very good idea.
Offline
Re: Create images page with captions
I’m not sure as to why one should use php there. Wouldn’t <a href="#" onclick="history.go(-1);return false;">Back</a> do the same thing? (Except on browsers who have disabled js… I know: )
Yiannis
——————————
NeMe | hblack.art | EMAP | A Sea change | Toolkit of Care
I do my best editing after I click on the submit button.
Offline
Re: Create images page with captions
Yiannis, your javascript just goes back to the last page, it doesn’t take me out of the gallery back to the thumbs page. That’s the trickiest bit, I think.
Jukka, thanks for the explanations. I’m sure I don’t fully understand yet, but I’ve reverted to using smd_lately (as in this ) to replace the photos page “thumbspage variable/cookie/back” combination and deleted the cookie from thumbs pages. Is there still a problem with adi_gps grabbing the variables from my thumbs page? Should I be escaping anything in there to prevent somebody passing some php along?
Offline
Re: Create images page with captions
zero wrote:
Jukka, thanks for the explanations. I’m sure I don’t fully understand yet, but I’ve reverted to using
smd_lately(as in this ) to replace the photos page “thumbspage variable/cookie/back” combination and deleted the cookie from thumbs pages. Is there still a problem withadi_gpsgrabbing the variables from my thumbs page? Should I be escaping anything in there to prevent somebody passing some php along?
Probably not, if the plugins do escaping correctly. Can’t comment on if they do. I’m not familiar with smd_lately, I can not say how well it works, or if it’s suitable. Most lilkely is a good choice and secure.
But keep in mind that you do not use IP to link any “private” or “sensitive” content to anyone. IPs are not permanent, unique or trustworthy. There is change that one can read somebody else’ history.
Last edited by Gocom (2012-06-09 17:29:21)
Offline
Re: Create images page with captions
$_SESSION is probably a better option than $_COOKIE, but, as Jukka suggests, you’d rather find some client-independent solution. I personally know someone who disables cookies, referrers and javascript while surfing :-)
Offline
Re: Create images page with captions
I’ve updated the TXP Tip so the cookies are gone and smd_lately is used to leave the gallery and return to the originating thumbs page.
I’ve actually found an alternative method to smd_lately: I copied the URL-only title into the keywords field and used article_custom with the keywords filter (keywords='<txp:variable name="cat" />') and a form to link the site, section and url_title together. But this only works for me because my “cat” variables are the same as the url_title of the thumbs page. This will not be practical for most users, I should think, but smd_lately has the benefits of being a dev’s plugin, and therefore secure and kept up-to-date most probably so like Jukka says, I think it’s most likely a good choice.
A moral I’ve learned: a little knowledge is dangerous so wherever possible use a txp plugin or txp native tags!
Offline