Blog Documentation Try Vanilla Cloud
Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Inline Images 1.2

StashStash
edited July 2008 in Vanilla 1.0 Help
I just updated from Inline Images 1.1 (which was working fine) to 1.2 and now all I get is the ALT attribute showing from the image tag. The HTML code is all there, the image is in the directory still, but for whatever reason the image won't show up on the page. I also updated to Attachments 2.1 at the same time, but this appears to be working correctly, as when I disable II1.2 the pictures show up as a list at the bottom as expected. Any ideas as to what I've got wrong on the upgrade? I just deactivated the extension, deleted the directory via FTP, uploaded the new one and then reactivated it.

Comments

  • TiggrTiggr
    Same for me!

    Changed back to image.php from 1.1!
  • TiggrTiggr
    Hi again!

    Played a bit, it is the security fix 
    if (!defined('IN_VANILLA')) exit();
    which kills the inline images!
  • StashStash
    Groovy! Or not... what's the solution Jazzman/Mark, as I thought this part was needed yet is breaking things?
  • emilimeemilime
    yes it is the security fix

    check http://lussumo.com/community/discussion/3520/3/attachments-20-and-inline-images-11/#Item_18
  • TiggrTiggr
    Thank you emilime!

    I'm citing you from the other thread:
    UPDATE: well I think I've just found the error: the new constant IN_VANILLA is defined in appg/settings.php but the test if (!defined('IN_VANILLA')) exit(); in image.php is before the include of settings.php so IN_VANILLA is never defined and the script always exits.
    Just move the test after include('../../appg/settings.php');
    and everything works fine
    That's it!

    Thank you very much!
  • StashStash
    <disclaimer>I suck at PHP and security</disclaimer>
    Wouldn't what you've just done pretty much negate the whole security fix?
  • StashStash
    Anyone care to comment on whether or not this breaks the security fix?
  • MinisweeperMinisweeper New
    Err...How come this extension has to include the settings file anyway? Jazzman is no fool so I'm sure there's a reason but it seems a bit odd...?
  • WallPhoneWallPhone
    Stash: You should be fine to move it. Since the include path is relative, there is no possibility that an attacker could insert a foreign URL in the include.

    Good:
    include('../../appg/settings.php');

    Bad (if used without the IN_VANILLA check):
    include($configuration['APPLICATION_PATH'].'settings.php');'
  • StashStash
    Thanks WallPhone. So if relative paths are used you don't "need" the fix?
  • WallPhoneWallPhone
    yep. Vunerability is caused by an attacker forcing the configuration variable to something unintended, such as to point to a file on his server that may contain some malitious code.

    Reltive paths are by definition relitive to their own server instead of some foreign srever.
  • StashStash
    Thanks for explaining WallPhone. Has anyone notified Jazzman about this fix to his extension then?
  • herozupherozup
    Thanks for this!!
  • MinisweeperMinisweeper New
    I've sent him a sticky whisper so hopefully he'll drop by and check it out next time he's available.
  • JazzmanJazzman
    Hey guys! Sorry for the late response! I switched to another internet provider, which resulted in 3 weeks without internet :) And with the Holidays, I had no access to internet at work!! The horror... the pain...!! :D

    I will take a look as soon as I have time.
  • CassiniCassini
    wasup here? not fixed. I wonder what you talk here...... there is no line if (!defined('IN_VANILLA')) exit(); in image.php What are yall talking about??? *shrug* You are funny people. In fact, theres not even a "IN_VANILLA"-phrase in the whole InlineImage-Extension...so what are you talking here??! Too bad.....i liked Vanilla, but it seems its doomed. And please: Could anyone be so kind, to explain that to me, if I understood it wrong? I'm searching through settings.php, appg/settings.php, the whole extension (default.php, image.php, image.jpg.php) and can't find IN_VANILLA !!!!! The only place to find it is in settings.php: define('IN_VANILLA', '1'); I'm on the edge when it comes thinking about Vanilla....that makes me sad. Started off quite good, and is ending in a confusing bad state. Why can nobody (if nobody can fix this in a new version!) explain, how to fox that stupid bug???????? This is sad... Will come back these days....but i think, if noone can help, thats it for me. Bye Vanilla.... :'(
  • MinisweeperMinisweeper New
    Version 1.3 - 11.01.2006, Jazzman - Removed security patch again, as it was not neccesary and resulted in errors
  • CassiniCassini
    edited May 2008
    ah, ok , i see....something, thank U. If the security patch is removed, why do I have the same problems as [-Stash-]? I'm using 1.3 with Attachments 2. EDIT: Problem is fixed now. It was a wrong encoded language file (definitions.php). It was coded in ANSI. Changed to UTF-8 and now it works.
  • StashStash
    Unofficial release from me to tie in with the latest JQuery release. Mods, please feel free to either update the addons site with this or remove the link/post. http://exhibitq.com/Vanilla/extensions/InlineImages/InlineImages-1.4.zip Basically, I added support for various thumbnail opening options (available in JQuery) and a GUI to choose which of these you want
This discussion has been closed.