Closed GoogleCodeExporter closed 8 years ago
Technically TimThumb doesn't require this. change the cache directory in the
code to whatever you like. Of course that's not a perfect solution (or even a
sensible solution), but it is possible.
That said, I agree with the concept of hiding the cache directory, but I am not
sure how to do this in a way that will work consistently on all servers. For
instance I tried to use sys_get_temp_dir on my test server and it said I didn't
have permission to write to that directory. This may be an unusual case but
TimThumb should always work on a default server setup.
Need to think on this. Open to any suggestions you have
Original comment by BinaryMoon
on 3 Aug 2011 at 2:11
I'm not sure I fully agree with the statement about the writable folder always
making timthumb always insecure. Yes, it's not advisable though.
Another direction to resolve this would be to make the cache file names
unpredictable to an outsider. Currently the md5 hash is performed using known
parameters, but if you throw a secret (but consistent) parameter into the mix -
you effectively make the filename extremely difficult (in practical terms,
impossible) to guess.
For the secret element - on wordpress you can use one of the secret strings in
wp-config (NONCE_KEY, SECURE_AUTH_KEY etc). If those are not accessible you can
even generate one when timthumb is installed and store it in a file that won't
expose it (perhaps an include php file with only one define statement?).
p.s. If you wish to make the hash generation even better, then use hmac (e.g.
with sha1) instead of md5. There are some attacks on naiive secret-key hashes
which hmac handles for you and it's still very fast.
Original comment by y...@gingerlime.com
on 5 Aug 2011 at 8:03
I'm chatting to Ben about bringing in wordthumb to timthumb as version 2, so I
thought I'd post here...
I've switched back to a public cache for compatibility.
I'm using salting the md5's with the mtime of the script and it's inode.
I'm also prepending a fixed length <?php die("Execution denied!"); ?> record to
the start of every cached image and stripping it off when serving them.
So all this combined with .txt file extensions makes me fairly confident it's
secure, even if a hacker can get a directoryIndex on a badly configured server.
It's available on the download page of http://code.google.com/p/wordthumb/ but
code.google won't let me do a push right now - seems to be down. So trunk still
has older code in it.
Original comment by mmaun...@gmail.com
on 5 Aug 2011 at 6:53
ok code.google is back up so the source is here:
http://code.google.com/p/wordthumb/source/browse/wordthumb.php
See:
line 144 where the salt is created
line 208 where the salt is used
lin 633 which creates a temporary file to add the fixed length record because
imagejpeg and friends dont work with filehandles.
line 816 where I strip the record back off before serving and do it without
slurping the whole file into memory.
Original comment by mmaun...@gmail.com
on 5 Aug 2011 at 7:08
Web accessible cache is now secure.
Original comment by mmaun...@gmail.com
on 5 Aug 2011 at 10:23
Original issue reported on code.google.com by
mmaun...@gmail.com
on 2 Aug 2011 at 7:53