search

oseawey / timthumb

Automatically exported from code.google.com/p/timthumb
0 stars 0 forks source link

Latest update (r122) breaks caching of external files and introduces small security issue #159

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Repro steps:
1. Enable external images and view an external image with TimThumb
2. View the image again. The cache is ignored and the image is re-downloaded.

The problem is that when the code was reorganized to check for an existing file 
first, the code that defines the $ext variable wasn't moved. See the 
"define-ext-variable.diff" file for a fix.

The second issue is minor, but worth mentioning

Repro steps:
1. Apply "define-ext-variable.diff" patch
2. Enable external images and view an external image with TimThumb
3. Disable external images and try to view the same external image with TimThumb

TimThumb should refuse to show the external image if it isn't from an allowed 
site, but since it is already cached, it is shown without checking the source. 
See the "check-external.diff" file for a fix.

Note: I've included both patches in "both-patches.diff".

Original issue reported on code.google.com by javayaht...@gmail.com on 10 Feb 2011 at 7:39

Attachments:

GoogleCodeExporter commented 9 years ago 
Thanks for pointing this out! I actually made some changes to this myself 
before I saw your bug report. I think the issue is fixed (in a different way), 
would you mind double checking and letting me know if the problem still occurs?

Original comment by BinaryMoon on 13 Feb 2011 at 9:41

GoogleCodeExporter commented 9 years ago 
Hey, sorry. This is the first chance I've had to come back and look at this.

The first problem has been fixed, but the second problem (if you consider it 
one) hasn't.

Again, to repro:

1. Set allow external to true
2. Grab an external file (to cache it locally)
3. Change the settings to not allow external images
4. View the same (cached) file. It is still shown.

Seems to me that if I turn off external images, it shouldn't show ANY external 
images, even ones that have already been cached. I could be wrong though. Is 
there a reason that this might not be the desired action?

Original comment by javayaht...@gmail.com on 15 Feb 2011 at 5:51