meghlal / timthumb

Automatically exported from code.google.com/p/timthumb
0 stars 0 forks source link

Not working on Windows machines with relative paths #224

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
ON a windows machine you run into a security block on line 793:

    if(strpos($real, $this->docRoot) !== 0) ...

This is caused on the fact that realpath() returns the Windows-style path like. 
On a local XAMPP installation the values might look like this:

    $real = 'C:\\xampp\\htdocs\\image\\'
    $this->docRoot = 'C:/xampp/htdocs'

An easy fix is to use the realpath() function also on the $this->docRoot 
variable in the if-statement. So replacing this line with the following would 
resolve the issue:

    if(strpos($real, realpath($this->docRoot)) !== 0) ...

This would also not break the security check.

Original issue reported on code.google.com by bernhard...@gmail.com on 8 Aug 2011 at 12:45

GoogleCodeExporter commented 9 years ago
Please try the latest version. I've followed your suggestion but a little 
earlier in execution. Thanks for the bug and fix.

Original comment by mmaun...@gmail.com on 8 Aug 2011 at 4:11

GoogleCodeExporter commented 9 years ago
That's how I tried to solve the issue first. Although it does not work as your 
foreach loop in line 787 needs unix style path. If you convert your docRoot 
with the realpath the way you have done it, it will break the loop.

You can either used the fix I suggested or you always have to use the realpath 
function every time you handle file paths (which I wouldn't suggest).

Original comment by bernhard...@gmail.com on 8 Aug 2011 at 4:18

GoogleCodeExporter commented 9 years ago
OK try it now. Implemented your first idea and  yanked my last commit.

Original comment by mmaun...@gmail.com on 8 Aug 2011 at 4:42

GoogleCodeExporter commented 9 years ago

Original comment by mmaun...@gmail.com on 8 Aug 2011 at 4:42

GoogleCodeExporter commented 9 years ago
Please try the latest version. It has improved path searching and I've moved 
the realpath for docRoot to the top of file search to prevent repeated stat() 
calls.

Original comment by mmaun...@gmail.com on 8 Aug 2011 at 5:17

GoogleCodeExporter commented 9 years ago
Looking good! Can be closed. Thanks for the fast fix! 

Original comment by bernhard...@gmail.com on 8 Aug 2011 at 5:31

GoogleCodeExporter commented 9 years ago
Thanks!

Original comment by mmaun...@gmail.com on 8 Aug 2011 at 5:40

GoogleCodeExporter commented 9 years ago
Excuseme I have a trouble with the script, I get on my website the next message 
when a try to see the image route:

Warning: realpath() [function.realpath]: open_basedir restriction in effect. 
File(/usr/local/apache/htdocs) is not within the allowed path(s): 
(/home/:/usr/lib/php:/tmp) in 
/home/u775803560/public_html/wp-content/themes/Sosa-Blue/timthumb.php on line 
815

My version of the Thimthumb is the 2.8 not is 2.8.10, I try to change the 
version and the same error is happening but in another line, how I can deny the 
script try to acces to that route?

In the version 2.8 in that line say "See issue 224. Using realpath as a windows 
fix."

Original comment by drack...@gmail.com on 10 Jul 2012 at 10:24