SMF Media Gallery (SMG) - 2.0.5 is out! (December 2)

[Dragooon]

Hi Dragoon thanks for the speedy reply.

I'm both glad and not glad I found a bug.

I edited the Subs-MGallery.php file as per your post (both of them!) and tested both aspects of the loophole.

Unfortunately, still not working on both counts I'm afraid...

I submitted an image as a regular user (didn't approve it as admin) then posted html embed code into a thread and the image displayed.

I also logged out and pasted direct link into browser and the image displayed.

Sorry Dragoon...I think this bug needs attention BUT enjoy your xmas and bring on 1.5.2 when you and Nao get a chance....we can wait dude. Thanks for all your hard work to date, it's a great mod.

Did you clear your browser cache?

[Nao 尚]

Blinker, try with this version of getMediaFilePath() in Subs-MGallery. (I rewrote the SQL stuff to make it clearer. It's a bit longer but it's no longer filled with tests )

Code Select Expand

// This function returns file path to a media, also checks security unless security_override is true
function getMediaFilePath($mid, $type = 'main', $security_override = false)
{
global $mgalFunc, $mgalSettings, $settings, $user_info;

// Get the item's filename
$galdir = $mgalSettings['data_dir_path'];
if (!in_array($type, array('main', 'icon', 'thumb', 'preview')))
return false;

$result = $mgalFunc['db_query'](($type == 'icon' ? '
SELECT f.id_file, f.filename, f.directory
FROM {db_prefix}mgallery_albums AS a
INNER JOIN {db_prefix}mgallery_files AS f ON (a.icon = f.id_file)
WHERE
a.id_album = {int:media_id}' . ($security_override || mGalAllowedTo('moderate') ? '' : '
AND (f.id_file < 5 OR {query_see_album})
AND (a.approved = 1 OR a.album_of = {int:user_id})')
: '
SELECT f.id_file, f.filename, f.directory
FROM {db_prefix}mgallery_media AS m
INNER JOIN {db_prefix}mgallery_files AS f ON (' . ($type != 'file' ? 'IF(m.id_' . $type . ' = 0, m.id_file, m.id_' . $type . ')'
: 'm.id_file') . ' = f.id_file)' . ($security_override || mGalAllowedTo('moderate') ? '
WHERE m.id_media = {int:media_id}' : '
LEFT JOIN {db_prefix}mgallery_albums AS a ON (a.id_album = f.id_album)
WHERE m.id_media = {int:media_id}
AND (f.id_file < 5 OR {query_see_album})
AND (m.approved = 1 OR m.id_member = {int:user_id})')) . '
LIMIT 1', array('media_id' => $mid, 'user_id' => $user_info['id']), __FILE__,__LINE__);

// Not found?
if ($mgalFunc['db_num_rows']($result) > 0)
{
$row = $mgalFunc['db_fetch_assoc']($result);
$path = $galdir . '/' . $row['directory'] . '/' . ($row['id_file'] > 4 ? getEncryptedFilename($row['filename'], $row['id_file']) : $row['filename']);
$filename = $row['filename'];
}
else
{
$path = $type == 'icon' ? $settings['default_theme_dir'] . '/images/blank.gif' : $settings['theme_dir'] . '/images/mgallery/denied.png';
$filename = 'denied.png';
}
$mgalFunc['db_free_result']($result);

return file_exists($path) ? array($path, $filename) : false;
}

SmokyBlue, this is too small a picture to be a problem with php variables...
Maybe safe mode is enabled? I don't think it would say that error message though...

I guess you'll have to sacrifice a FTP account and admin account as well for the website

[Smoky "Rider" Blue]

dropping a pm now.. let me know, owner is in Japan on USS battleship.. 

[vulcan59]

...same as for Mr. Spock... I guess you're trying to upload a file that's larger than your max PHP-allowed size.

@vulcan> what are the values for upload_max_filesize and max_post_size? And yeah, it's probably because of your host.

Hi Nao,

I changed it all back to default values (1024kb) and then tried to upload 5 files about 120kb and same problem. It has to be the host but I'll have to wait to find out.

Thanks for your response.

Regards.

[Smoky "Rider" Blue]

umm Nao, i forgot ftp login.. but if you tell me what you are looking for i might be able to help..

every folder for the gallery is set to 777

im sorry.. will try to get a hold of the owner if you really need that..

[taha116]

Code Select Expand

Uninstall Actions
Uninstall Actions "SMF Media Gallery":
Installing this package will perform the following actions:
Type Action Description
* 1. Execute Modification ./index.php Test successful
1. Replace ./index.php Test successful
* 2. Execute Modification ./Sources/Subs.php Test failed
1. Replace ./Sources/Subs.php Test failed
2. Replace ./Sources/Subs.php Test successful
3. Replace ./Sources/Subs.php Test successful
* 3. Execute Modification ./Sources/Admin.php Test successful
1. Replace ./Sources/Admin.php Test successful
* 4. Execute Modification ./Sources/Load.php Test failed
1. Replace ./Sources/Load.php Test failed
2. Replace ./Sources/Load.php Test successful
3. Replace ./Sources/Load.php Test failed
4. Replace ./Sources/Load.php Test successful
* 5. Execute Modification ./Sources/ManagePermissions.php Test successful
1. Replace ./Sources/ManagePermissions.php Test successful
2. Replace ./Sources/ManagePermissions.php Test successful
3. Replace ./Sources/ManagePermissions.php Test successful
* 6. Execute Modification ./Sources/Who.php Test successful
1. Replace ./Sources/Who.php Test successful
2. Replace ./Sources/Who.php Test successful
* 7. Execute Modification ./Themes/default/languages/Modifications.english.php Test successful
1. Add Before ./Themes/default/languages/Modifications.english.php Test successful
8. Execute Modification ./Themes/default/languages/Modifications.english-utf8.php Skipping file
9. Execute Modification ./Themes/default/languages/Modifications.french.php Skipping file
* 10. Execute Modification ./Sources/Profile.php Test successful
1. Replace ./Sources/Profile.php Test successful
2. Add Before ./Sources/Profile.php Test successful
11. Delete File MGallery.php
12. Delete File MGallery-Sub.php
13. Delete File Subs-MGallery.php
14. Delete File MGallery-Admin.php
15. Delete File MGallery.template
16. Delete Tree mgallery
17. Delete Tree mgallery
18. Delete File MGallery.english.php
19. Delete File MGallery.french.php
20. Delete File MGalleryItem.php

No one answered me, Can someone do offer a manual edit for me or sumthing this was me trying to uninstall SMG 1.5 so i could get the latest.....

[Smoky "Rider" Blue]

taha116.

im sorry no one did, but maybe dragooon will notice this.. atm i8m a little busy..

just bump again if you need to.. 

[taha116]

taha116.

im sorry no one did, but maybe dragooon will notice this.. atm i8m a little busy..

just bump again if you need to.. 

No problem ill wait 2-3 days before posting that one again if i need help...  Thanks for the reply though

[Blinker]

Blinker, try with this version of getMediaFilePath() in Subs-MGallery. (I rewrote the SQL stuff to make it clearer. It's a bit longer but it's no longer filled with tests )

Hi Nao

Thanks for having a go at this.

OK, onto the test results:

After plugging in your code, HTML embed code no longer shows the image , but BBCode does.

In IE, there is a 'placeholder' in full size for the HTML image with a small white square with a red cross in it in the top left corner as per standard missing image icon. In Seamonkey (and I'll assume Firefox too) there is nothing at all (which I like more...+1 to Mozilla).

Unfortunately, as I mentioned the BBcode thumbnail still shows and can be expanded if clicked on.

More good news - direct links no longer work!!! Hooray!

I logged out, pasted a direct link into the browser and this error came back -

Database Error

Please try again. If you come back to this error screen, report the error to an administrator.

So, in summary, HTML embed and direct links now follow security and permission protocols, BBCode embed does not.

[Dragooon]

Try my fix, and make sure to clear your browser's cache.

EDIT : Or try this

Code Select Expand

$result = $mgalFunc['db_query'](($type == 'icon' ? '
SELECT f.id_file, f.filename, f.directory
FROM {db_prefix}mgallery_albums AS a
INNER JOIN {db_prefix}mgallery_files AS f ON (a.icon = f.id_file)
WHERE
a.id_album = {int:media_id}' . ($security_override || mGalAllowedTo('moderate') ? '' : '
AND (f.id_file < 5 OR {query_see_album})
AND (a.approved = 1 OR a.album_of = {int:user_id})')
: '
SELECT f.id_file, f.filename, f.directory
FROM {db_prefix}mgallery_media AS m
INNER JOIN {db_prefix}mgallery_files AS f ON (' . ($type != 'main' ? 'IF(m.id_' . $type . ' = 0, m.id_file, m.id_' . $type . ')'
: 'm.id_file') . ' = f.id_file)' . ($security_override || mGalAllowedTo('moderate') ? '
WHERE m.id_media = {int:media_id}' : '
LEFT JOIN {db_prefix}mgallery_albums AS a ON (a.id_album = f.id_album)
WHERE m.id_media = {int:media_id}
AND (f.id_file < 5 OR {query_see_album})
AND (m.approved = 1 OR m.id_member = {int:user_id})')) . '
LIMIT 1', array('media_id' => $mid, 'user_id' => $user_info['id']), __FILE__,__LINE__);

Tested and I am completely sure it works. Make sure to flush your cache.

[Blinker]

Hey Dragooon

As per your previous recommendation I completely cleared the cache on both browsers before every test.

I compared that code (in your most recent post) to what was already in my Subs-Mgallery.php file and the only difference was in this line -

INNER JOIN {db_prefix}mgallery_files AS f ON (' . ($type != 'main' ? 'IF(m.id_' . $type . ' = 0, m.id_file, m.id_' . $type . ')'

where 'main' was previously 'file' so that was all I changed.

I tested and now HTML embed is showing up again!! BBC is still showing, but direct links won't work which is good.

Is it possible that because I've got your original fix, plus Nao's fix, plus your most recent fix all active in the same file that the problem is from that?

I'll try with my clean backup from last night with only your most recent fix and see how I go.

Edit: I changed it back to 'file' from 'main' and html embed code is disabled again. Haven't managed to try with only your new fix and minus Nao's yet.

[Dragooon]

Can you attach your Subs-MGallery.php? I don't know why is it showing the images even if they're not approved to non-admins. Make sure you are not the person who has posted the image since it will continue showing the original poster the link.

[Blinker]

Sure mate, here you go. Please note my edit on my previous post.

BTW I'm doing the test as admin and the file was posted by my test account. I've tried several different variations with diff accounts and browsers.

Oh, and thanks so much for all your help.

[Dragooon]

The account you're testing it with, is it the same as the user who posted it? Because then it would show it. And make sure to use $type != 'main rather then $type != 'file' because its not correct.

[Blinker]

The account you're testing it with, is it the same as the user who posted it? Because then it would show it. And make sure to use $type != 'main rather then $type != 'file' because its not correct.

Definitely testing with a different account. Will also switch back to main instead of file. The only reason I changed it back again was because main allowed html to display again.

Interesting observation: (In IE) when I post html and bbc as the original poster of the image, the html only shows as that placeholder with the missing image icon and the bbc still shows as a thumb. This is the same whether I am looking at the post as admin, original poster or any other user (I have 4 accounts!)

In Seamonkey (my main browser), there is no placeholder at all, nothing shows up, there is nothing whatsoever to indicate the image is missing or not showing. BBC still shows as a thumb as normal.

[Dragooon]

hmm interesting...This somehow works fine for me. Nao any ideas?

[Blinker]

hmm interesting...This somehow works fine for me. Nao any ideas?

Did you have a look at my file? Should I be taking one of the fixes out? I'm not sure if perhaps they're conflicting with each other.

Is there any other file that should be looked at?

[Dragooon]

Your files are fine, I can't understand how you cannot view them directly but when they're embedded. Can you PM me a FTP account, as well as one admin account and the 2 test accounts?

EDIT : After some testing, it was fine for me. It didn't show me the thumbnail when I was trying to view the post with the thumbnail embedded. Although I was required to clear my cache before it actually show me the denied.png image(The actual image was cached at the URL, so it was showing me the old thumbnail, after clearing the cache it was fine again.)

[Nao 尚]

About the main/file bug... It's an oversight on my side. I simply forgot to rename one of my "file" changes to "main".

To be specific, I rewrote everything to use "file" instead of "main" because I thought it was good to put it in line with the rest (id_file, id_preview, id_thumb are all part of the media database... While "id_main" isn't.) "main" uses id_file so I figured, we should be using 'file' instead, so I could simply not have to test the field type before using it. Actually it didn't help much, because IF(id_file = 0, id_file, id_file) is a bit stupid (it always returns id_file, and makes a useless test in the query), so I thought I'd just go back to the test thing... And then I thought, this was the main reason for using "file" instead of "main", so I'll just go back to "main", in case someone used that function in a mod or something and specific "main".

Regarding the approval error. There are many ways to look at it. But for what it's worth, I think it'd be best to see your stuff in action or something, hey... Do you use a simple [smg id=xx] tag, or specific options in it?
Also, but I guess you already checked that, you need to make sure your cache is emptied. Sometimes I can only get a thumbnail to refresh by copying its URL, putitng it in my location bar, and then hitting Refresh (i.e. it doesn't refresh when right-clicking the picture and choosing "Reload image".)

Merry Christmas to all. I won't spend much time behind my monitor for a couple of days. Guess why.

[KahneFan]

I apologize if I missed this somewhere, but (using 2.0b4) with a test account I can't seem to get an auto-approval of single images. I can't bulk upload, but single images tell me the require approval. Might I have missed a setting somewhere?