News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

Making sure an image is an image

Started by Jade Elizabeth, September 25, 2014, 06:07:05 AM

Previous topic - Next topic

Jade Elizabeth

So I want to add a field or two to the post template, which will ask for a link to an image. The problem is I can make a text field but I am not sure how to check if the contents are safe or a valid image (like if they have BBC around them then it wont work obviously, or if the link goes to a page, etc).

I've had people link to these as "images"
https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&docid=BN9v_efroVgskM&tbnid=UB-IM9AAAq8LgM:&ved=0CAcQjRw&url=http%3A%2F%2Fcommons.wikimedia.org%2Fwiki%2FFile%3AUltraviolet_image_of_the_Cygnus_Loop_Nebula_crop.jpg&ei=BukjVM2gD5D9sASP1oBI&bvm=bv.76247554,d.cWc&psig=AFQjCNHtssCj0KREYeeZXb74Ngw5tUpX6g&ust=1411725924018395

Is there a function I can use to be completely safe or as safe as it would be if this were built in? :)
Once proud Documentation Writer and Help Squad Leader | Check out my new adult coloring career: Color With Jade/Patreon.


Jade Elizabeth

I was hoping for something built into SMF, like how there's a url spot for an image in the profile (avatars).
Once proud Documentation Writer and Help Squad Leader | Check out my new adult coloring career: Color With Jade/Patreon.

Arantor

And all you can actually do is all what SMF actually does: check it's a valid link, try to follow it and see if you get an image out of it.

Jade Elizabeth

Okay, well, how would I do that? Is there something I can send it to or what ever?

Assume I am coding for 2.1....does that make it easier?
Once proud Documentation Writer and Help Squad Leader | Check out my new adult coloring career: Color With Jade/Patreon.

Arantor

Makes no difference. You still have to do exactly the same steps as SMF itself would have to do.

Jade Elizabeth

Okay well this will be coded in 2.1, but I might toy with the idea now. Can I send it to a function or something? How does SMF do it?
Once proud Documentation Writer and Help Squad Leader | Check out my new adult coloring career: Color With Jade/Patreon.

Arantor

I haven't checked what 2.1 does but I see no reason to assume it is significantly different from 2.0.8's avatar code.

$profile_vars['avatar'] = str_replace('%20', '', preg_replace('~action(?:=|%3d)(?!dlattach)~i', 'action-', $_POST['userpicpersonal']));

if ($profile_vars['avatar'] == 'http://' || $profile_vars['avatar'] == 'http:///')
$profile_vars['avatar'] = '';
// Trying to make us do something we'll regret?
elseif (substr($profile_vars['avatar'], 0, 7) != 'http://')
return 'bad_avatar';
// Should we check dimensions?
elseif (!empty($modSettings['avatar_max_height_external']) || !empty($modSettings['avatar_max_width_external']))
{
// Now let's validate the avatar.
$sizes = url_image_size($profile_vars['avatar']);

if (is_array($sizes) && (($sizes[0] > $modSettings['avatar_max_width_external'] && !empty($modSettings['avatar_max_width_external'])) || ($sizes[1] > $modSettings['avatar_max_height_external'] && !empty($modSettings['avatar_max_height_external']))))
{
// Houston, we have a problem. The avatar is too large!!
if ($modSettings['avatar_action_too_large'] == 'option_refuse')
return 'bad_avatar';
elseif ($modSettings['avatar_action_too_large'] == 'option_download_and_resize')
{
require_once($sourcedir . '/Subs-Graphics.php');
if (downloadAvatar($profile_vars['avatar'], $memID, $modSettings['avatar_max_width_external'], $modSettings['avatar_max_height_external']))
{
$profile_vars['avatar'] = '';
$cur_profile['id_attach'] = $modSettings['new_avatar_data']['id'];
$cur_profile['filename'] = $modSettings['new_avatar_data']['filename'];
$cur_profile['attachment_type'] = $modSettings['new_avatar_data']['type'];
}
else
return 'bad_avatar';
}
}
}


This is kind of more complex than it might otherwise need to be, but there's a lot going on here.

1. Convert %20 (urlencoded space) to actual space, and convert any links that contain action=thing into action-thing to prevent them being abused (e.g. a link to index.php?action=logout for example) except for action=dlattach which is allowed for image attachments.

2. If it's probably not a link since it's just an empty http protocol, ditch it.

3. If it's not beginning with http://, ditch it. Note the lack of https here. This is something that may or may not have been fixed in 2.1 but I can't be arsed to check right now.

4. If we have a set size limit, begin more detailed checks (if no size limit is set, just allow the URL as is)

4.1. url_image_size() will fetch the width/height of an image from its URL and returns an array.
4.2. if it's an array, that means it was able to fetch a size from it, by way of the PHP functions that return sizes from images (which will handle PNG, JPG, GIF and can also do things like SWF, some PSDs)
4.3. if it's too large and we're not handling it, kick it back
4.4. if it's too large and we're resizing it with code, download it (which has a ton of stuff around what it puts into the database and so is not suitable for your use anyway)


So, really, the first part is what you need to worry about.

Jade Elizabeth

Okay, I understand that now. So if I whack that into a function I can get it to send me back whether it's okay (post it) or not okay (don't post it) I assume :).
Once proud Documentation Writer and Help Squad Leader | Check out my new adult coloring career: Color With Jade/Patreon.

Arantor

If you whack that into a function as it stands, it's going to crash and burn.

Jade Elizabeth

Once proud Documentation Writer and Help Squad Leader | Check out my new adult coloring career: Color With Jade/Patreon.

Advertisement: