Internal default image fails to be shown says it is outside docroot worked fine in 2.8

[GoogleCodeExporter]

What steps will reproduce the problem?
1.Load page with no image attached or in page

2.Default image fails to load

3. View image shows error message and an error serving the error so no error 
image is shown even though error image is defined

What is the expected output? What do you see instead?

I expect to see the default image I defined or the error image which is the 
same image

Fetching external images are working fine - internal images are not working

What version of the product are you using? On what operating system?

I'm using v 2.8.2 on Unix

Please provide any additional information below.

Here is the error message I got:

Warning: getimagesize() [function.getimagesize]: URL file-access is disabled in 
the server configuration in 
/nfs/c03/h04/mnt/50940/domains/reviewgeek.net/html/wp-content/themes/dougTool/sc
ripts/timthumb.php on line 1177

Warning: 
getimagesize(http://www.reviewgeek.net/wp-content/uploads/2011/08/rglogodefault.
png) [function.getimagesize]: failed to open stream: no suitable wrapper could 
be found in 
/nfs/c03/h04/mnt/50940/domains/reviewgeek.net/html/wp-content/themes/dougTool/sc
ripts/timthumb.php on line 1177

Warning: Cannot modify header information - headers already sent by (output 
started at 
/nfs/c03/h04/mnt/50940/domains/reviewgeek.net/html/wp-content/themes/dougTool/sc
ripts/timthumb.php:1177) in 
/nfs/c03/h04/mnt/50940/domains/reviewgeek.net/html/wp-content/themes/dougTool/sc
ripts/timthumb.php on line 412
A TimThumb error has occured
The following error(s) occured:

    Could not find the internal image you specified.
    Additionally, the error image that is configured could not be found or there was an error serving it.

Query String : 
src=http://www.reviewgeek.net/wp-content/uploads/2011/08/rglogodefault.png&w=100
&h=100
TimThumb version : 2.8.2

I attached my server log and config - the image exists

Original issue reported on code.google.com by voncadf...@gmail.com on 28 Oct 2011 at 6:34

Attachments:

• timerrorlog.txt

[GoogleCodeExporter]

Same general error message here, my logs read:

[Mon Oct 31 01:02:37 2011] [error] [client 127.0.0.1] TimThumb Debug line 1076 
[0.000327 : 0.000198] Doc root is: /path/to/domain
Found file as /path/to/domain/wp-content/uploads/2009/11/ComfortInn1.jpg
[Mon Oct 31 01:02:37 2011] [error] [client 127.0.0.1] TimThumb Debug line 1076 
[0.001643 : 0.000392]: Security block: The file specified occurs outside the 
document root.

Original comment by r...@ironbellystudios.com on 31 Oct 2011 at 11:13

[GoogleCodeExporter]

I've gone in and labeled each Separate instance of the security block error 
message to be Security block1 , 2 and 3 and found that it's the following 
Sections that are causing the problem:

                if(file_exists ($this->docRoot . '/' . $src)) {
                        $this->debug(3, "Found file as " . $this->docRoot . '/' . $src);
                        $real = realpath($this->docRoot . '/' . $src);
                        if(stripos($real, $this->docRoot) === 1){
                                return $real;
                        } else {
                                $this->debug(1, "Security block: The file specified occurs outside the document root.");

and

                foreach ($sub_directories as $sub){
                        $base .= $sub . '/';
                        $this->debug(3, "Trying file as: " . $base . $src);
                        if(file_exists($base . $src)){
                                $this->debug(3, "Found file as: " . $base . $src);
                                $real = realpath($base . $src);
                                if(stripos($real, $this->docRoot) === 0){
                                        return $real;
                                } else {
                                        $this->debug(1, "Security block3: The file specified occurs outside the document root.");
                                        //And continue search
                                }
                        }
                }

Original comment by netf...@gmail.com on 31 Oct 2011 at 11:34

[GoogleCodeExporter]

Problem was solved by removing all of the checks performed by the above 
mentioned sections.. I'm not sure what kind of negative ramifications this can 
cause so clearly it's not a 'fix' but at the very least it's a hack to get the 
script working again

So now the above mentioned sections look like this:

                if(file_exists ($this->docRoot . '/' . $src)) {
                        $this->debug(3, "Found file as " . $this->docRoot . '/' . $src);
                        $real = realpath($this->docRoot . '/' . $src);
                                return $real;
                 }

and

                foreach ($sub_directories as $sub){
                        $base .= $sub . '/';
                        $this->debug(3, "Trying file as: " . $base . $src);
                        if(file_exists($base . $src)){
                                $this->debug(3, "Found file as: " . $base . $src);
                                $real = realpath($base . $src);
                                          return $real;
                        }
                }

Original comment by netf...@gmail.com on 31 Oct 2011 at 11:39

[GoogleCodeExporter]

it appears the code that does a sanity check to compare docroots will fail in 
some environments (like amazon's EC2 for me)

eg. one of the sanity checks in 2.8.5:

if(file_exists ($this->docRoot . '/' . $src)) {
    $this->debug(3, "Found file as " . $this->docRoot . '/' . $src);
    $real = realpath($this->docRoot . '/' . $src);
    if(stripos($real,$this->docRoot) == 0){
        return $real;
    } else {
        $this->debug(1, "Security block: The file specified occurs outside the document root.");
        //allow search to continue
    }
}

the code is doing a stripos() on $real & $this->docRoot 

in my case, $this->docRoot is something like: 

  /foo/bar/var/html 

but when you run it through realpath() (as in what is happening when assigning 
$real), it is 

  /mnt/foo/bar/var/html

the solution would be to call realpath() on $this->docRoot inside the stripos() 
call as well, since it's been done to $real, eg.

if(stripos($real,realpath($this->docRoot)) == 0){
    return $real;
} else {
    $this->debug(1, "Security block: The file specified occurs outside the document root.");
    //allow search to continue
}

Original comment by normanye...@gmail.com on 13 Jan 2012 at 3:14

[GoogleCodeExporter]

normanye, thnaks, it's work fine for me!

Original comment by Azze...@gmail.com on 22 Jan 2012 at 3:58

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

That worked for me too! Thanks!

Original comment by auz1...@jecadesigns.com on 7 Feb 2012 at 1:11

[GoogleCodeExporter]

My application moved from one to another FreeBSD server, same version 
DA/PHP/Apache etc, then it started to fail and give the error given above.

After hours of trying, normanye his fix worked for me too!

But we just noticed, only the filesystem differs! 

Original comment by mkei...@gmail.com on 7 Feb 2012 at 12:29

[GoogleCodeExporter]

Issue 328 has been merged into this issue.

Original comment by BinaryMoon on 7 Feb 2012 at 1:38

[GoogleCodeExporter]

Since this seems to be working for people I have commited the fix.

Thanks for the help!

Original comment by BinaryMoon on 7 Feb 2012 at 1:47

• Changed state: Fixed