Closed GoogleCodeExporter closed 9 years ago
For exactly what do you need this?
Original comment by he...@nerv.fi
on 21 Nov 2011 at 10:28
It turns out that it sometimes happens that externally located images are base
64 encoded. If you look on the net you'll see there are discussions about
whether this is the right way to upload image files or not.
When using timthumb you apparently need to decode those first.
I am not very familiar with the ins and outs of this so if you want a more
detailed explanation I have to ask one of the PivotX experts to add a comment.
But I think a config option should go with this update (if accepted) so people
can use it or not.
Original comment by harm.kra...@gmail.com
on 21 Nov 2011 at 11:26
I've never heard of this issue happening. I am inclined to think it's specific
to your application so I am hesitant to do anything with it - especially since
base_64_decode is often used in hacking and so would flag up more warnings.
Original comment by BinaryMoon
on 22 Nov 2011 at 11:15
I understand your feeling about this. I'll ask an update from the PivotX
experts.
Original comment by harm.kra...@gmail.com
on 23 Nov 2011 at 6:45
The argument made by one of the PivotX developers was:
To support remote files it's advisable to use base64_encoded URLs, since a lot of
browsers/firewalls/webservers won't allow 'normal' URL's in the parameter string.
To some extent I think this is true. (I can image mod_security by triggered by
such parameters, but I haven't tested.)
Adding support for base64_encoded URLs won't make timthumb any less secure -
the decoded URL should be handled as a normal. As Harm says, adding support for
base64_encoded URLs could be made optional, with the default being off.
Thx for listening.
Original comment by hansfn@gmail.com
on 23 Nov 2011 at 7:47
Any news on this one?
Original comment by harm.kra...@gmail.com
on 14 Dec 2011 at 8:10
This issue can be closed since the support for base64 encoded src parameter can
be added in the the config file (as PivotX recently started to do).
Original comment by hansfn@gmail.com
on 10 Jan 2012 at 11:00
Original comment by BinaryMoon
on 6 Dec 2012 at 11:58
Original issue reported on code.google.com by
harm.kra...@gmail.com
on 21 Nov 2011 at 9:29