Automatic thumbnails for Textpattern

Bloke · Yesterday 18:28:12

One quick thing on the subject of directories: Handling upgrades.

The ‘thumb’ directory exists in the repo so anyone copying everything up will get it added. But if anyone has moved their images directory (I’ve been trying with mine in a subfolder) or doesn’t drag the images directory up to their webserver for fear of overwriting anything, the thumb subdirectory won’t be created. And it isn’t auto-created in code at the moment.

Should we? Like this? Is that safe enough?

etc · Yesterday 18:55:46

jakob wrote #341789:

I’ve only given it a quick whirl but when I delete the subfolders in the /thumbs/ directory, then revisit the pages, I get just the alt text for the images with a ?token. An image is generated though, and it appears on reload.

Me too, with Undefined array key "Orientation" on line 317 warning, which prevents thumbnails from being displayed by the browser.

etc · Yesterday 19:07:18

Bloke wrote #341790:

Rendering the same image multiple times in a row generates a different token for each request now. They all still render perfectly fine, but on that particular request when they’re generated, the browser cache will be hit muiltiple times, once for each different token.

Not sure, but I don’t think browsers cache files on the first request, unless told so. But yes, a fixed token is more reliable.

As you suggest, can we get away with removing the call to the Token class altogether? i.e. just use the sha1() hash as the ‘token’ and recompute it in publish.php from the passed params for comparison? That would have the benefit of generating the same token for each identical request, which mitigates the above point. But is it too simplistic and easy to defeat by, I dunno, collecting a bunch of hashes and constructing a rainbow table or something?

I thought of password_hash()/password_verify() combo, but it generates random salts too. crypt(), perhaps?

But that new function runs on every request — public- and admin-side. It will only actually regenerate the token + lastmod value after the timeout occurs, so it’s only a quick check using stuff (prefs) that are already on-page so not too expensive, but is it better a different way?

That’s very fast and runs only once per access, I would not care.

How often do you think the token should be regenerated? Currently it’s about every 2 days. Longer?

One month, like txp cookies?

Bloke · Yesterday 19:07:53

etc wrote #341794:

Me too, with Undefined array key "Orientation" on line 317 warning, which prevents thumbnails from being displayed by the browser.

Fixed.

Bloke · Yesterday 19:34:52

etc wrote #341795:

crypt(), perhaps?

Yeah, I was looking at that too. It works. And it generates identical hashes for identical requests (good). Whether it’s faster, I don’t know. But it’s only 13 characters long, and always starts with the same two characters, so whether that’s secure enough as a token, hmmm. Doesn’t seem much hardship to spam the URL with every possible value until a hit is found (especially if we allow a month before expiry).

Although, if that does happen, it still only means an attacker can generate one image at one size, then have to do it all again to create another. The only possible problem might be if the various hash hits can lead to reverse engineering the thumb_secret value. Then it’s open season.

Last edited by Bloke (Yesterday 19:41:51)

jakob · Yesterday 19:55:23

Woot! It’s working again. And faster than ever. Well done … again!

Bloke · Yesterday 19:55:41

:)

Bloke · Yesterday 19:56:51

I’m tempted to stick with the tokenization we have. I can live with the fact that two identical thumbs get different tokens when each request is atomic anyway, and only used once.

etc · Yesterday 20:56:28

Well, that was not perfect (yet). Now thumbnail tokens are immutable and used even for existing thumbnails. This way they are not loaded twice, from different URLs.

Bloke · Yesterday 20:58:19

Bah. Is it easily fixable?

I probably screwed something up, cos it was definitely loading them without tokens on refresh when I last checked.

etc · Yesterday 21:18:25

Are you sure the page was not loaded from cache? Just in case, what dmp(hash_hmac('sha256', 'hello', 'world')); gives?

Bloke · Yesterday 21:52:09

Who knows? Maybe.

If you’ve got time to look at it, that would be ace.

Textpattern CMS

Textpattern CMS support forum

#205 Yesterday 18:28:12

Re: Automatic thumbnails for Textpattern

#206 Yesterday 18:55:46

Re: Automatic thumbnails for Textpattern

jakob wrote #341789:

#207 Yesterday 19:07:18

Re: Automatic thumbnails for Textpattern

Bloke wrote #341790:

#208 Yesterday 19:07:53

Re: Automatic thumbnails for Textpattern

etc wrote #341794:

#209 Yesterday 19:34:52

Re: Automatic thumbnails for Textpattern

etc wrote #341795:

#210 Yesterday 19:55:23

Re: Automatic thumbnails for Textpattern

#211 Yesterday 19:55:41

Re: Automatic thumbnails for Textpattern

#212 Yesterday 19:56:51

Re: Automatic thumbnails for Textpattern

#213 Yesterday 20:56:28

Re: Automatic thumbnails for Textpattern

#214 Yesterday 20:58:19

Re: Automatic thumbnails for Textpattern

#215 Yesterday 21:18:25

Re: Automatic thumbnails for Textpattern

#216 Yesterday 21:52:09

Re: Automatic thumbnails for Textpattern

Board footer