marshsu / timthumb

Automatically exported from code.google.com/p/timthumb
0 stars 0 forks source link

base64_decode made possible? #290

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Open source blog CMS PivotX is using timthumb for years now.
As a config feature was introduced in recent timthumb releases I am currently 
busy trying to only use the config file for our customizations.
There is one feature however that needs to be updated in the code itself.

In function __construct() we think should be taken into account that base64 
encode can be the case.
For this we added to the code (first 2 lines normal timthumb):
$this->myHost = preg_replace('/^www\./i', '', $_SERVER['HTTP_HOST']);
$this->src = $this->param('src');
// Added for PivotX: allow for base64 encoded src..
if ($this->is_base64_encoded($this->src)) {
    $this->src = base64_decode($this->src);
}
and added to the end of the file:
/**
 * Added for PivotX: Check if a given string is base64 encoded.
 */
protected function is_base64_encoded($str) {   
   return (preg_match('%^[a-zA-Z0-9/+]*={0,2}$%', $str));
}

Can this code change be added to the real timthumb?
Possibly a config option can be added to switch the code on or off.  

Original issue reported on code.google.com by harm.kra...@gmail.com on 21 Nov 2011 at 9:29

GoogleCodeExporter commented 9 years ago
For exactly what do you need this?

Original comment by he...@nerv.fi on 21 Nov 2011 at 10:28

GoogleCodeExporter commented 9 years ago
It turns out that it sometimes happens that externally located images are base 
64 encoded. If you look on the net you'll see there are discussions about 
whether this is the right way to upload image files or not.
When using timthumb you apparently need to decode those first.

I am not very familiar with the ins and outs of this so if you want a more 
detailed explanation I have to ask one of the PivotX experts to add a comment.
But I think a config option should go with this update (if accepted) so people 
can use it or not.

Original comment by harm.kra...@gmail.com on 21 Nov 2011 at 11:26

GoogleCodeExporter commented 9 years ago
I've never heard of this issue happening. I am inclined to think it's specific 
to your application so I am hesitant to do anything with it - especially since 
base_64_decode is often used in hacking and so would flag up more warnings.

Original comment by BinaryMoon on 22 Nov 2011 at 11:15

GoogleCodeExporter commented 9 years ago
I understand your feeling about this. I'll ask an update from the PivotX 
experts.

Original comment by harm.kra...@gmail.com on 23 Nov 2011 at 6:45

GoogleCodeExporter commented 9 years ago
The argument made by one of the PivotX developers was:

  To support remote files it's advisable to use base64_encoded URLs, since a lot of
  browsers/firewalls/webservers won't allow 'normal' URL's in the parameter string.

To some extent I think this is true. (I can image mod_security by triggered by 
such parameters, but I haven't tested.)

Adding support for base64_encoded URLs won't make timthumb any less secure - 
the decoded URL should be handled as a normal. As Harm says, adding support for 
base64_encoded URLs could be made optional, with the default being off.

Thx for listening.

Original comment by hansfn@gmail.com on 23 Nov 2011 at 7:47

GoogleCodeExporter commented 9 years ago
Any news on this one?

Original comment by harm.kra...@gmail.com on 14 Dec 2011 at 8:10

GoogleCodeExporter commented 9 years ago
This issue can be closed since the support for base64 encoded src parameter can 
be added in the the config file (as PivotX recently started to do).

Original comment by hansfn@gmail.com on 10 Jan 2012 at 11:00

GoogleCodeExporter commented 9 years ago

Original comment by BinaryMoon on 6 Dec 2012 at 11:58