linking something other than http

Started by mmeija, April 28, 2004, 08:00:25 PM

Previous topic - Next topic

mmeija

Hey I'm curious about the best way to link things other than http/ftp

we just started using smf in my office, and in the office we unfourtunately rely on windows shares heavily

i'm wondering what the best way is to allow people to link something like

file://machinename/share

as it is using the bbc url tag prefixes http and ruins the link..

thanks,
matt

[Unknown]

Well, the problem is javascript... but, if you're not going to have to worry about people doing stuff like that, open Sources/Subs-Post.php, and find the following:

function fixTags(&$message)
{
global $modSettings;


Add right below that:

return;

This will reduce security, but if you're working inside an intranet it shouldn't be a problem.  And this will make file:// links work.

-[Unknown]

mmeija

yeah the forum is private so i'm not overly worried about the security risks in doing this,


thanks so much

mmeija

#3
k i'm just hoping to see if the fix iv'e applied is the same security risk;

within the following fixarray code
$fixArray = array
(
// [img]http://...[/img] or [img width=1]http://...[/img]
array('tag' => 'img', 'protocol' => 'http', 'embeddedUrl' => false, 'hasEqualSign' => false, hasExtra' => true),


Iv'e added

array('tag' => 'url', 'protocol' => 'file', 'embeddedUrl' => false, 'hasEqualSign' => false),
array('tag' => 'url', 'protocol' => 'file', 'embeddedUrl' => false, 'hasEqualSign' => true),
array('tag' => 'img', 'protocol' => 'file', 'embeddedUrl' => false, 'hasEqualSign' => false, 'hasExtra' => true),


and inside of the fixtag function code here:

// Fix a specific class of tag - ie. url with =.
function fixTag(&$message, $myTag, $protocol, $embeddedUrl = false, $hasEqualSign = false, $hasExtra = false)
{
while (preg_match('/\[(' . $myTag . ($hasExtra ? '(?:[^\]]*?)' : '') . ')' . ($hasEqualSign ? '(=(.+?))' : '(())') . '\](.+?)\[\/(' . $myTag . ')\]/is', $message, $matches))
{


Iv'e added


function fixTag(&$message, $myTag, $protocol, $embeddedUrl = false, $hasEqualSign = false, $hasExtra = false)
{
if ($protocol = 'file')

return;

else

while (preg_match('/\[(' . $myTag . ($hasExtra ? '(?:[^\]]*?)' : '') . ')' . ($hasEqualSign ? '(=(.+?))' : '(())') . '\](.+?)\[\/(' . $myTag . ')\]/is', $message, $matches))
{


this is allowing me to make posts contaning the following code (even though this basicaly only works for IE)

[url]file://hostname/share[/url]
[url=file://hostname/share]text[/url]
[url]file://hostname/share/folder/document.doc[/url]
[url=file://hostname/share/folder/document.doc]text[/url]
[img]file://hostname/share/folder/picture.jpg[/img]



is this any more/less secure then the previous change?

i just threw this together, would you say it's going to be a ton of work to add the ability to fix/check these file:// tags just like http:// tags?

Thanks,
Matt

[Unknown]

Well, there's always the possibility they could share some javascript code to steal your administrator cookie that way, but it should be fine more or less if that's okay with you...

-[Unknown]

mmeija

and if i continue through the code and put in place the exact same checks done on http, will the javascript injection still be a possibility?

mmeija

would this get more attention in SMF Coding Discussion?
maybe move it?>!

[Unknown]

Doing it that way isn't exactly secure, but if you made it do it the same way as it does http, it would be at least somewhat secure....

-[Unknown]

mmeija

thank you:)

just gotta get a webserver... accomodating stupid windows shares is bs

Advertisement: