Changeset 537421
- Timestamp:
- 04/27/2012 05:57:48 PM (14 years ago)
- Location:
- user-avatar/trunk
- Files:
-
- 3 edited
-
readme.txt (modified) (1 diff)
-
user-avatar-pic.php (modified) (25 diffs)
-
user-avatar.php (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
user-avatar/trunk/readme.txt
r505653 r537421 36 36 37 37 == Changelog == 38 = 1.4.8 = 39 * updated to the latest version of the timthumb 2.8.10 40 38 41 = 1.4.7 = 39 42 SECURITY FIX -
user-avatar/trunk/user-avatar-pic.php
r444447 r537421 10 10 * Examples and documentation available on the project homepage 11 11 * http://www.binarymoon.co.uk/projects/timthumb/ 12 * 13 * $Rev$ 12 14 */ 13 15 14 16 /* 15 -----TimThumb CONFIGURATION----- 16 You can either edit the configuration variables manually here, or you can 17 create a file called timthumb-config.php and define variables you want 18 to customize in there. It will automatically be loaded by timthumb. 19 This will save you having to re-edit these variables everytime you download 20 a new version of timthumb. 21 17 * --- TimThumb CONFIGURATION --- 18 * To edit the configs it is best to create a file called timthumb-config.php 19 * and define variables you want to customize in there. It will automatically be 20 * loaded by timthumb. This will save you having to re-edit these variables 21 * everytime you download a new version 22 22 */ 23 define ('VERSION', '2.8 ');// Version of this script24 //Load a config file if it exists. Otherwise, use the values below .25 if( file_exists( 'timthumb-config.php'))require_once('timthumb-config.php');26 if(! defined( 'DEBUG_ON' ) ) define ('DEBUG_ON', false);// Enable debug logging to web server error log (STDERR)27 if(! defined('DEBUG_LEVEL') ) define ('DEBUG_LEVEL', 1);// Debug level 1 is less noisy and 3 is the most noisy28 if(! defined('MEMORY_LIMIT') ) define ('MEMORY_LIMIT', '30M');// Set PHP memory limit29 if(! defined('BLOCK_EXTERNAL_LEECHERS') ) define ('BLOCK_EXTERNAL_LEECHERS', false); // If the image or webshot is being loaded on an external site, display a red "No Hotlinking" gif.23 define ('VERSION', '2.8.10'); // Version of this script 24 //Load a config file if it exists. Otherwise, use the values below 25 if( file_exists(dirname(__FILE__) . '/timthumb-config.php')) require_once('timthumb-config.php'); 26 if(! defined('DEBUG_ON') ) define ('DEBUG_ON', false); // Enable debug logging to web server error log (STDERR) 27 if(! defined('DEBUG_LEVEL') ) define ('DEBUG_LEVEL', 1); // Debug level 1 is less noisy and 3 is the most noisy 28 if(! defined('MEMORY_LIMIT') ) define ('MEMORY_LIMIT', '30M'); // Set PHP memory limit 29 if(! defined('BLOCK_EXTERNAL_LEECHERS') ) define ('BLOCK_EXTERNAL_LEECHERS', false); // If the image or webshot is being loaded on an external site, display a red "No Hotlinking" gif. 30 30 31 31 //Image fetching and caching 32 if(! defined('ALLOW_EXTERNAL') ) define ('ALLOW_EXTERNAL', TRUE);// Allow image fetching from external websites. Will check against ALLOWED_SITES if ALLOW_ALL_EXTERNAL_SITES is false33 if(! defined('ALLOW_ALL_EXTERNAL_SITES') ) define ('ALLOW_ALL_EXTERNAL_SITES', false); // Less secure.34 if(! defined('FILE_CACHE_ENABLED') ) define ('FILE_CACHE_ENABLED', TRUE); // Should we store resized/modified images on disk to speed things up?32 if(! defined('ALLOW_EXTERNAL') ) define ('ALLOW_EXTERNAL', TRUE); // Allow image fetching from external websites. Will check against ALLOWED_SITES if ALLOW_ALL_EXTERNAL_SITES is false 33 if(! defined('ALLOW_ALL_EXTERNAL_SITES') ) define ('ALLOW_ALL_EXTERNAL_SITES', false); // Less secure. 34 if(! defined('FILE_CACHE_ENABLED') ) define ('FILE_CACHE_ENABLED', TRUE); // Should we store resized/modified images on disk to speed things up? 35 35 if(! defined('FILE_CACHE_TIME_BETWEEN_CLEANS')) define ('FILE_CACHE_TIME_BETWEEN_CLEANS', 86400); // How often the cache is cleaned 36 if(! defined('FILE_CACHE_MAX_FILE_AGE') ) define ('FILE_CACHE_MAX_FILE_AGE', 86400); // How old does a file have to be to be deleted from the cache 37 if(! defined('FILE_CACHE_SUFFIX') ) define ('FILE_CACHE_SUFFIX', '.timthumb.txt'); // What to put at the end of all files in the cache directory so we can identify them 38 if(! defined('FILE_CACHE_DIRECTORY') ) define ('FILE_CACHE_DIRECTORY', './cache'); // Directory where images are cached. Left blank it will use the system temporary directory (which is better for security) 39 if(! defined('MAX_FILE_SIZE') ) define ('MAX_FILE_SIZE', 10485760); // 10 Megs is 10485760. This is the max internal or external file size that we'll process. 40 if(! defined('CURL_TIMEOUT') ) define ('CURL_TIMEOUT', 20); // Timeout duration for Curl. This only applies if you have Curl installed and aren't using PHP's default URL fetching mechanism. 41 if(! defined('WAIT_BETWEEN_FETCH_ERRORS') ) define ('WAIT_BETWEEN_FETCH_ERRORS', 3600); //Time to wait between errors fetching remote file 36 37 if(! defined('FILE_CACHE_MAX_FILE_AGE') ) define ('FILE_CACHE_MAX_FILE_AGE', 86400); // How old does a file have to be to be deleted from the cache 38 if(! defined('FILE_CACHE_SUFFIX') ) define ('FILE_CACHE_SUFFIX', '.timthumb.txt'); // What to put at the end of all files in the cache directory so we can identify them 39 if(! defined('FILE_CACHE_PREFIX') ) define ('FILE_CACHE_PREFIX', 'timthumb'); // What to put at the beg of all files in the cache directory so we can identify them 40 if(! defined('FILE_CACHE_DIRECTORY') ) define ('FILE_CACHE_DIRECTORY', './cache'); // Directory where images are cached. Left blank it will use the system temporary directory (which is better for security) 41 if(! defined('MAX_FILE_SIZE') ) define ('MAX_FILE_SIZE', 10485760); // 10 Megs is 10485760. This is the max internal or external file size that we'll process. 42 if(! defined('CURL_TIMEOUT') ) define ('CURL_TIMEOUT', 20); // Timeout duration for Curl. This only applies if you have Curl installed and aren't using PHP's default URL fetching mechanism. 43 if(! defined('WAIT_BETWEEN_FETCH_ERRORS') ) define ('WAIT_BETWEEN_FETCH_ERRORS', 3600); //Time to wait between errors fetching remote file 44 42 45 //Browser caching 43 if(! defined('BROWSER_CACHE_MAX_AGE') ) define ('BROWSER_CACHE_MAX_AGE', 864000); // Time to cache in the browser44 if(! defined('BROWSER_CACHE_DISABLE') ) define ('BROWSER_CACHE_DISABLE', false); // Use for testing if you want to disable all browser caching46 if(! defined('BROWSER_CACHE_MAX_AGE') ) define ('BROWSER_CACHE_MAX_AGE', 864000); // Time to cache in the browser 47 if(! defined('BROWSER_CACHE_DISABLE') ) define ('BROWSER_CACHE_DISABLE', false); // Use for testing if you want to disable all browser caching 45 48 46 49 //Image size and defaults 47 if(! defined('MAX_WIDTH') ) define ('MAX_WIDTH', 1500); // Maximum image width 48 if(! defined('MAX_HEIGHT') ) define ('MAX_HEIGHT', 1500); // Maximum image height 49 if(! defined('NOT_FOUND_IMAGE') ) define ('NOT_FOUND_IMAGE', ''); //Image to serve if any 404 occurs 50 if(! defined('ERROR_IMAGE') ) define ('ERROR_IMAGE', ''); //Image to serve if an error occurs instead of showing error message 50 if(! defined('MAX_WIDTH') ) define ('MAX_WIDTH', 1500); // Maximum image width 51 if(! defined('MAX_HEIGHT') ) define ('MAX_HEIGHT', 1500); // Maximum image height 52 if(! defined('NOT_FOUND_IMAGE') ) define ('NOT_FOUND_IMAGE', ''); // Image to serve if any 404 occurs 53 if(! defined('ERROR_IMAGE') ) define ('ERROR_IMAGE', ''); // Image to serve if an error occurs instead of showing error message 54 if(! defined('PNG_IS_TRANSPARENT') ) define ('PNG_IS_TRANSPARENT', FALSE); //42 Define if a png image should have a transparent background color. Use False value if you want to display a custom coloured canvas_colour 55 if(! defined('DEFAULT_Q') ) define ('DEFAULT_Q', 90); // Default image quality. Allows overrid in timthumb-config.php 56 if(! defined('DEFAULT_ZC') ) define ('DEFAULT_ZC', 1); // Default zoom/crop setting. Allows overrid in timthumb-config.php 57 if(! defined('DEFAULT_F') ) define ('DEFAULT_F', ''); // Default image filters. Allows overrid in timthumb-config.php 58 if(! defined('DEFAULT_S') ) define ('DEFAULT_S', 0); // Default sharpen value. Allows overrid in timthumb-config.php 59 if(! defined('DEFAULT_CC') ) define ('DEFAULT_CC', 'ffffff'); // Default canvas colour. Allows overrid in timthumb-config.php 60 51 61 52 62 //Image compression is enabled if either of these point to valid paths … … 115 125 if(! isset($ALLOWED_SITES)){ 116 126 $ALLOWED_SITES = array ( 117 'flickr.com', 118 'picasa.com', 119 'img.youtube.com', 120 'upload.wikimedia.org', 121 'photobucket.com', 122 'imgur.com', 123 'imageshack.us', 124 'tinypic.com' 127 'flickr.com', 128 'staticflickr.com', 129 'picasa.com', 130 'img.youtube.com', 131 'upload.wikimedia.org', 132 'photobucket.com', 133 'imgur.com', 134 'imageshack.us', 135 'tinypic.com', 125 136 ); 126 137 } … … 188 199 $this->cacheDirectory = FILE_CACHE_DIRECTORY; 189 200 if (!touch($this->cacheDirectory . '/index.html')) { 190 $this->error("Could not e create the index.html file.");201 $this->error("Could not create the index.html file - to fix this create an empty file named index.html file in the cache directory."); 191 202 } 192 203 } else { … … 199 210 $this->src = $this->param('src'); 200 211 $this->url = parse_url($this->src); 212 $this->src = preg_replace('/https?:\/\/(?:www\.)?' . $this->myHost . '/i', '', $this->src); 213 201 214 if(strlen($this->src) <= 3){ 202 215 $this->error("No image specified"); … … 216 229 exit(0); 217 230 } 218 if(preg_match('/https?:\/\/(?:www\.)?' . $this->myHost . '(?:$|\/)/i', $this->src)){219 $this->src = preg_replace('/https?:\/\/(?:www\.)?' . $this->myHost . '/i', '', $this->src);220 }221 231 if(preg_match('/^https?:\/\/[^\/]+/i', $this->src)){ 222 232 $this->debug(2, "Is a request for an external URL: " . $this->src); … … 236 246 $allowed = false; 237 247 foreach($ALLOWED_SITES as $site){ 238 if ( preg_match ('/(?:^|\.)' . $site . '$/i', $this->url['host'])) {248 if ((strtolower(substr($this->url['host'],-strlen($site)-1)) === strtolower(".$site")) || (strtolower($this->url['host'])===strtolower($site))) { 239 249 $this->debug(3, "URL hostname {$this->url['host']} matches $site so allowing."); 240 250 $allowed = true; … … 247 257 } 248 258 249 $cachePrefix = ($this->isURL ? ' timthumb_ext_' : 'timthumb_int_');259 $cachePrefix = ($this->isURL ? '_ext_' : '_int_'); 250 260 if($this->isURL){ 251 $this->cachefile = $this->cacheDirectory . '/' . $cachePrefix . md5($this->salt . $_SERVER ['QUERY_STRING'] . $this->fileCacheVersion) . FILE_CACHE_SUFFIX; 261 $arr = explode('&', $_SERVER ['QUERY_STRING']); 262 asort($arr); 263 $this->cachefile = $this->cacheDirectory . '/' . FILE_CACHE_PREFIX . $cachePrefix . md5($this->salt . implode('', $arr) . $this->fileCacheVersion) . FILE_CACHE_SUFFIX; 252 264 } else { 253 265 $this->localImage = $this->getLocalImagePath($this->src); … … 261 273 $this->localImageMTime = @filemtime($this->localImage); 262 274 //We include the mtime of the local file in case in changes on disk. 263 $this->cachefile = $this->cacheDirectory . '/' . $cachePrefix . md5($this->salt . $this->localImageMTime . $_SERVER ['QUERY_STRING'] . $this->fileCacheVersion) . FILE_CACHE_SUFFIX;275 $this->cachefile = $this->cacheDirectory . '/' . FILE_CACHE_PREFIX . $cachePrefix . md5($this->salt . $this->localImageMTime . $_SERVER ['QUERY_STRING'] . $this->fileCacheVersion) . FILE_CACHE_SUFFIX; 264 276 } 265 277 $this->debug(2, "Cache file is: " . $this->cachefile); … … 315 327 } 316 328 } 317 318 329 $this->serveErrors(); 319 330 exit(0); … … 405 416 } 406 417 protected function serveErrors(){ 418 header ($_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request'); 407 419 $html = '<ul>'; 408 420 foreach($this->errors as $err){ … … 410 422 } 411 423 $html .= '</ul>'; 412 header ($_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request');413 424 echo '<h1>A TimThumb error has occured</h1>The following error(s) occured:<br />' . $html . '<br />'; 414 425 echo '<br />Query String : ' . htmlentities ($_SERVER['QUERY_STRING']); … … 439 450 } 440 451 protected function cleanCache(){ 452 if (FILE_CACHE_TIME_BETWEEN_CLEANS < 0) { 453 return; 454 } 441 455 $this->debug(3, "cleanCache() called"); 442 456 $lastCleanFile = $this->cacheDirectory . '/timthumb_cacheLastCleanTime.touch'; … … 446 460 $this->debug(1, "File tracking last clean doesn't exist. Creating $lastCleanFile"); 447 461 if (!touch($lastCleanFile)) { 448 $this->error("Could not ecreate cache clean timestamp file.");462 $this->error("Could not create cache clean timestamp file."); 449 463 } 450 464 return; … … 454 468 // Very slight race condition here, but worst case we'll have 2 or 3 servers cleaning the cache simultaneously once a day. 455 469 if (!touch($lastCleanFile)) { 456 $this->error("Could not ecreate cache clean timestamp file.");470 $this->error("Could not create cache clean timestamp file."); 457 471 } 458 472 $files = glob($this->cacheDirectory . '/*' . FILE_CACHE_SUFFIX); 459 $timeAgo = time() - FILE_CACHE_MAX_FILE_AGE; 460 foreach($files as $file){ 461 if(@filemtime($file) < $timeAgo){ 462 $this->debug(3, "Deleting cache file $file older than max age: " . FILE_CACHE_MAX_FILE_AGE . " seconds"); 463 @unlink($file); 473 if ($files) { 474 $timeAgo = time() - FILE_CACHE_MAX_FILE_AGE; 475 foreach($files as $file){ 476 if(@filemtime($file) < $timeAgo){ 477 $this->debug(3, "Deleting cache file $file older than max age: " . FILE_CACHE_MAX_FILE_AGE . " seconds"); 478 @unlink($file); 479 } 464 480 } 465 481 } … … 500 516 } 501 517 502 // get standard input properties 518 // get standard input properties 503 519 $new_width = (int) abs ($this->param('w', 0)); 504 520 $new_height = (int) abs ($this->param('h', 0)); 505 $zoom_crop = (int) $this->param('zc', 1);506 $quality = (int) abs ($this->param('q', 90));521 $zoom_crop = (int) $this->param('zc', DEFAULT_ZC); 522 $quality = (int) abs ($this->param('q', DEFAULT_Q)); 507 523 $align = $this->cropTop ? 't' : $this->param('a', 'c'); 508 $filters = $this->param('f', ''); 509 $sharpen = (bool) $this->param('s', 0); 510 $canvas_color = $this->param('cc', 'ffffff'); 524 $filters = $this->param('f', DEFAULT_F); 525 $sharpen = (bool) $this->param('s', DEFAULT_S); 526 $canvas_color = $this->param('cc', DEFAULT_CC); 527 $canvas_trans = (bool) $this->param('ct', '1'); 511 528 512 529 // set default width and height if neither are set already … … 559 576 imagealphablending ($canvas, false); 560 577 561 if (strlen ($canvas_color) < 6) { 562 $canvas_color = 'ffffff'; 563 } 578 if (strlen($canvas_color) == 3) { //if is 3-char notation, edit string into 6-char notation 579 $canvas_color = str_repeat(substr($canvas_color, 0, 1), 2) . str_repeat(substr($canvas_color, 1, 1), 2) . str_repeat(substr($canvas_color, 2, 1), 2); 580 } else if (strlen($canvas_color) != 6) { 581 $canvas_color = DEFAULT_CC; // on error return default canvas color 582 } 564 583 565 584 $canvas_color_R = hexdec (substr ($canvas_color, 0, 2)); 566 585 $canvas_color_G = hexdec (substr ($canvas_color, 2, 2)); 567 $canvas_color_B = hexdec (substr ($canvas_color, 2, 2));586 $canvas_color_B = hexdec (substr ($canvas_color, 4, 2)); 568 587 569 588 // Create a new transparent color for image 570 $color = imagecolorallocatealpha ($canvas, $canvas_color_R, $canvas_color_G, $canvas_color_B, 127); 589 // If is a png and PNG_IS_TRANSPARENT is false then remove the alpha transparency 590 // (and if is set a canvas color show it in the background) 591 if(preg_match('/^image\/png$/i', $mimeType) && !PNG_IS_TRANSPARENT && $canvas_trans){ 592 $color = imagecolorallocatealpha ($canvas, $canvas_color_R, $canvas_color_G, $canvas_color_B, 127); 593 }else{ 594 $color = imagecolorallocatealpha ($canvas, $canvas_color_R, $canvas_color_G, $canvas_color_B, 0); 595 } 596 571 597 572 598 // Completely fill the background of the new image with allocated color. … … 798 824 protected function calcDocRoot(){ 799 825 $docRoot = @$_SERVER['DOCUMENT_ROOT']; 826 if (defined('LOCAL_FILE_BASE_DIRECTORY')) { 827 $docRoot = LOCAL_FILE_BASE_DIRECTORY; 828 } 800 829 if(!isset($docRoot)){ 801 830 $this->debug(3, "DOCUMENT_ROOT is not set. This is probably windows. Starting search 1."); … … 818 847 } 819 848 protected function getLocalImagePath($src){ 820 $src = preg_replace('/^\//', '', $src); //strip off the leading '/' 821 $realDocRoot = realpath($this->docRoot); //See issue 224. Using realpath as a windows fix. 849 $src = ltrim($src, '/'); //strip off the leading '/' 822 850 if(! $this->docRoot){ 823 851 $this->debug(3, "We have no document root set, so as a last resort, lets check if the image is in the current dir and serve that."); … … 825 853 $file = preg_replace('/^.*?([^\/\\\\]+)$/', '$1', $src); //strip off any path info and just leave the filename. 826 854 if(is_file($file)){ 827 return realpath($file);855 return $this->realpath($file); 828 856 } 829 857 return $this->error("Could not find your website document root and the file specified doesn't exist in timthumbs directory. We don't support serving files outside timthumb's directory without a document root for security reasons."); … … 833 861 if(file_exists ($this->docRoot . '/' . $src)) { 834 862 $this->debug(3, "Found file as " . $this->docRoot . '/' . $src); 835 $real = realpath($this->docRoot . '/' . $src);836 if(str pos($real, $realDocRoot) === 0){863 $real = $this->realpath($this->docRoot . '/' . $src); 864 if(stripos($real, $this->docRoot) === 0){ 837 865 return $real; 838 866 } else { … … 842 870 } 843 871 //Check absolute paths and then verify the real path is under doc root 844 $absolute = realpath('/' . $src);872 $absolute = $this->realpath('/' . $src); 845 873 if($absolute && file_exists($absolute)){ //realpath does file_exists check, so can probably skip the exists check here 846 874 $this->debug(3, "Found absolute path: $absolute"); 847 875 if(! $this->docRoot){ $this->sanityFail("docRoot not set when checking absolute path."); } 848 if(str pos($absolute, $realDocRoot) === 0){876 if(stripos($absolute, $this->docRoot) === 0){ 849 877 return $absolute; 850 878 } else { … … 853 881 } 854 882 } 883 855 884 $base = $this->docRoot; 856 foreach (explode('/', str_replace($this->docRoot, '', $_SERVER['SCRIPT_FILENAME'])) as $sub){ 885 886 // account for Windows directory structure 887 if (strstr($_SERVER['SCRIPT_FILENAME'],':')) { 888 $sub_directories = explode('\\', str_replace($this->docRoot, '', $_SERVER['SCRIPT_FILENAME'])); 889 } else { 890 $sub_directories = explode('/', str_replace($this->docRoot, '', $_SERVER['SCRIPT_FILENAME'])); 891 } 892 893 foreach ($sub_directories as $sub){ 857 894 $base .= $sub . '/'; 858 895 $this->debug(3, "Trying file as: " . $base . $src); 859 896 if(file_exists($base . $src)){ 860 897 $this->debug(3, "Found file as: " . $base . $src); 861 $real = realpath($base . $src);862 if(str pos($real, $realDocRoot) === 0){898 $real = $this->realpath($base . $src); 899 if(stripos($real, $this->realpath($this->docRoot)) === 0){ 863 900 return $real; 864 901 } else { … … 869 906 } 870 907 return false; 908 } 909 protected function realpath($path){ 910 //try to remove any relative paths 911 $remove_relatives = '/\w+\/\.\.\//'; 912 while(preg_match($remove_relatives,$path)){ 913 $path = preg_replace($remove_relatives, '', $path); 914 } 915 //if any remain use PHP realpath to strip them out, otherwise return $path 916 //if using realpath, any symlinks will also be resolved 917 return preg_match('#^\.\./|/\.\./#', $path) ? realpath($path) : $path; 871 918 } 872 919 protected function toDelete($name){ … … 1035 1082 protected function openImage($mimeType, $src){ 1036 1083 switch ($mimeType) { 1037 case 'image/jpg': //This isn't a valid mime type so we should probably remove it1038 1084 case 'image/jpeg': 1039 1085 $image = imagecreatefromjpeg ($src); … … 1047 1093 $image = imagecreatefromgif ($src); 1048 1094 break; 1095 1096 default: 1097 $this->error("Unrecognised mimeType"); 1049 1098 } 1050 1099 -
user-avatar/trunk/user-avatar.php
r505653 r537421 4 4 Plugin URI: http://wordpress.org/extend/plugins/user-avatar/ 5 5 Description: Allows users to associate photos with their accounts by accessing their "Your Profile" page that default as Gravatar or WordPress Default image (from Discussion Page). 6 Version: 1.4. 76 Version: 1.4.8 7 7 Author: Enej Bajgoric / Gagan Sandhu / CTLT DEV 8 8
Note: See TracChangeset
for help on using the changeset viewer.