Hey I'm curious about the best way to link things other than http/ftp
we just started using smf in my office, and in the office we unfourtunately rely on windows shares heavily
i'm wondering what the best way is to allow people to link something like
file://machinename/share
as it is using the bbc url tag prefixes http and ruins the link..
thanks,
matt
Well, the problem is javascript... but, if you're not going to have to worry about people doing stuff like that, open Sources/Subs-Post.php, and find the following:
function fixTags(&$message)
{
global $modSettings;
Add right below that:
return;
This will reduce security, but if you're working inside an intranet it shouldn't be a problem. And this will make file:// links work.
-[Unknown]
yeah the forum is private so i'm not overly worried about the security risks in doing this,
thanks so much
k i'm just hoping to see if the fix iv'e applied is the same security risk;
within the following fixarray code
$fixArray = array
(
// [img]http://...[/img] or [img width=1]http://...[/img]
array('tag' => 'img', 'protocol' => 'http', 'embeddedUrl' => false, 'hasEqualSign' => false, hasExtra' => true),
Iv'e added
array('tag' => 'url', 'protocol' => 'file', 'embeddedUrl' => false, 'hasEqualSign' => false),
array('tag' => 'url', 'protocol' => 'file', 'embeddedUrl' => false, 'hasEqualSign' => true),
array('tag' => 'img', 'protocol' => 'file', 'embeddedUrl' => false, 'hasEqualSign' => false, 'hasExtra' => true),
and inside of the fixtag function code here:
// Fix a specific class of tag - ie. url with =.
function fixTag(&$message, $myTag, $protocol, $embeddedUrl = false, $hasEqualSign = false, $hasExtra = false)
{
while (preg_match('/\[(' . $myTag . ($hasExtra ? '(?:[^\]]*?)' : '') . ')' . ($hasEqualSign ? '(=(.+?))' : '(())') . '\](.+?)\[\/(' . $myTag . ')\]/is', $message, $matches))
{
Iv'e added
function fixTag(&$message, $myTag, $protocol, $embeddedUrl = false, $hasEqualSign = false, $hasExtra = false)
{
if ($protocol = 'file')
return;
else
while (preg_match('/\[(' . $myTag . ($hasExtra ? '(?:[^\]]*?)' : '') . ')' . ($hasEqualSign ? '(=(.+?))' : '(())') . '\](.+?)\[\/(' . $myTag . ')\]/is', $message, $matches))
{
this is allowing me to make posts contaning the following code (even though this basicaly only works for IE)
[url]file://hostname/share[/url]
[url=file://hostname/share]text[/url]
[url]file://hostname/share/folder/document.doc[/url]
[url=file://hostname/share/folder/document.doc]text[/url]
[img]file://hostname/share/folder/picture.jpg[/img]
is this any more/less secure then the previous change?
i just threw this together, would you say it's going to be a ton of work to add the ability to fix/check these file:// tags just like http:// tags?
Thanks,
Matt
Well, there's always the possibility they could share some javascript code to steal your administrator cookie that way, but it should be fine more or less if that's okay with you...
-[Unknown]
and if i continue through the code and put in place the exact same checks done on http, will the javascript injection still be a possibility?
would this get more attention in SMF Coding Discussion?
maybe move it?>!
Doing it that way isn't exactly secure, but if you made it do it the same way as it does http, it would be at least somewhat secure....
-[Unknown]
thank you:)
just gotta get a webserver... accomodating stupid windows shares is bs