Advertisement:

Author Topic: linking something other than http  (Read 26073 times)

Offline mmeija

  • Newbie
  • *
  • Posts: 9
linking something other than http
« on: April 28, 2004, 08:00:25 PM »
Hey I'm curious about the best way to link things other than http/ftp

we just started using smf in my office, and in the office we unfourtunately rely on windows shares heavily

i'm wondering what the best way is to allow people to link something like

file://machinename/share

as it is using the bbc url tag prefixes http and ruins the link..

thanks,
matt

Offline [Unknown]

  • SMF Friend
  • SMF Master
  • *
  • Posts: 36,102
  • Gender: Male
Re: linking something other than http
« Reply #1 on: April 28, 2004, 08:34:18 PM »
Well, the problem is javascript... but, if you're not going to have to worry about people doing stuff like that, open Sources/Subs-Post.php, and find the following:

Code: [Select]
function fixTags(&$message)
{
global $modSettings;

Add right below that:

Code: [Select]
return;
This will reduce security, but if you're working inside an intranet it shouldn't be a problem.  And this will make file:// links work.

-[Unknown]

Offline mmeija

  • Newbie
  • *
  • Posts: 9
Re: linking something other than http
« Reply #2 on: April 28, 2004, 08:58:50 PM »
yeah the forum is private so i'm not overly worried about the security risks in doing this,


thanks so much

Offline mmeija

  • Newbie
  • *
  • Posts: 9
Re: linking something other than http
« Reply #3 on: August 24, 2004, 07:47:06 PM »
k i'm just hoping to see if the fix iv'e applied is the same security risk;

within the following fixarray code
Code: [Select]
$fixArray = array
(
// [img]http://...[/img] or [img width=1]http://...[/img]
array('tag' => 'img', 'protocol' => 'http', 'embeddedUrl' => false, 'hasEqualSign' => false, hasExtra' => true),

Iv'e added
Code: [Select]
array('tag' => 'url', 'protocol' => 'file', 'embeddedUrl' => false, 'hasEqualSign' => false),
array('tag' => 'url', 'protocol' => 'file', 'embeddedUrl' => false, 'hasEqualSign' => true),
array('tag' => 'img', 'protocol' => 'file', 'embeddedUrl' => false, 'hasEqualSign' => false, 'hasExtra' => true),

and inside of the fixtag function code here:
Code: [Select]
// Fix a specific class of tag - ie. url with =.
function fixTag(&$message, $myTag, $protocol, $embeddedUrl = false, $hasEqualSign = false, $hasExtra = false)
{
while (preg_match('/\[(' . $myTag . ($hasExtra ? '(?:[^\]]*?)' : '') . ')' . ($hasEqualSign ? '(=(.+?))' : '(())') . '\](.+?)\[\/(' . $myTag . ')\]/is', $message, $matches))
{

Iv'e added

Code: [Select]
function fixTag(&$message, $myTag, $protocol, $embeddedUrl = false, $hasEqualSign = false, $hasExtra = false)
{
if ($protocol = 'file')

return;

else

while (preg_match('/\[(' . $myTag . ($hasExtra ? '(?:[^\]]*?)' : '') . ')' . ($hasEqualSign ? '(=(.+?))' : '(())') . '\](.+?)\[\/(' . $myTag . ')\]/is', $message, $matches))
{

this is allowing me to make posts contaning the following code (even though this basicaly only works for IE)

Code: [Select]
[url]file://hostname/share[/url]
[url=file://hostname/share]text[/url]
[url]file://hostname/share/folder/document.doc[/url]
[url=file://hostname/share/folder/document.doc]text[/url]
[img]file://hostname/share/folder/picture.jpg[/img]


is this any more/less secure then the previous change?

i just threw this together, would you say it's going to be a ton of work to add the ability to fix/check these file:// tags just like http:// tags?

Thanks,
Matt
« Last Edit: August 24, 2004, 07:53:18 PM by mmeija »

Offline [Unknown]

  • SMF Friend
  • SMF Master
  • *
  • Posts: 36,102
  • Gender: Male
Re: linking something other than http
« Reply #4 on: August 25, 2004, 01:12:11 AM »
Well, there's always the possibility they could share some javascript code to steal your administrator cookie that way, but it should be fine more or less if that's okay with you...

-[Unknown]

Offline mmeija

  • Newbie
  • *
  • Posts: 9
Re: linking something other than http
« Reply #5 on: August 26, 2004, 01:45:13 PM »
and if i continue through the code and put in place the exact same checks done on http, will the javascript injection still be a possibility?

Offline mmeija

  • Newbie
  • *
  • Posts: 9
Re: linking something other than http
« Reply #6 on: August 30, 2004, 03:40:44 PM »
would this get more attention in SMF Coding Discussion?
maybe move it?>!

Offline [Unknown]

  • SMF Friend
  • SMF Master
  • *
  • Posts: 36,102
  • Gender: Male
Re: linking something other than http
« Reply #7 on: August 30, 2004, 04:19:14 PM »
Doing it that way isn't exactly secure, but if you made it do it the same way as it does http, it would be at least somewhat secure....

-[Unknown]

Offline mmeija

  • Newbie
  • *
  • Posts: 9
Re: linking something other than http
« Reply #8 on: August 31, 2004, 05:12:58 PM »
thank you:)

just gotta get a webserver... accomodating stupid windows shares is bs