IMG TAG/Autofunction "Limit Display Size in Tag" failed in Guest hidden Boards

Started by petb, May 20, 2012, 10:36:21 AM

Previous topic - Next topic

petb

Seen on Version 2.0.2 and older Versions.

Short Description:
Display an Attachment in hidden Boards, wont be auto reduced in Display Size within the Post when storing the Post.

Large Description:
A User post a Picture as an Attachment in Board which is free viewable for Guests.
Then he wants to Display the Picture-Attachment in the Message Area.
So he edit the Post, uses the Link to the Attachment, include it within the IMG Tags and save the Post.

Now by saving the Post, the Forum Code checks if the Dimensions of the Picture are bigger than the Adjustment in the Admin Area (Max Width and Max Height for Display Image within Posts)
If the Image was bigger, the Forum Code places "width=xxx height=yyy" into the IMG Tag.

Now everything was fine, the Image was displayed smaller and if you click on the Image it gets Bigger, as it should.

But for this Automation, it was necessary for the Forum Code to reach the Attachment with Guest Rights.
If you do this in a for Guests hidden Board, the Function would fail, because it cant reach the Attachment with Guest Rights.

The CHECK of the Imagesize in the Forum Code try to use different Methods, fsockopen an others.
But for all, i believe, the Attachment must be viewable for All ?

        // Try to connect to the server... give it half a second.
        $temp = 0;
        $fp = @fsockopen($match[1], 80, $temp, $temp, 0.5);

        // Successful?  Continue...
        if ($fp != false)
        {
            // Send the HEAD request (since we don't have to worry about chunked, HTTP/1.1 is fine here.)
            fwrite($fp, 'HEAD /' . $match[2] . ' HTTP/1.1' . "\r\n" . 'Host: ' . $match[1] . "\r\n" . 'User-Agent: PHP/SMF' . "\r\n" . 'Connection: close' . "\r\n\r\n");

Even the first try gets an 403 Error.
Also the Second Try to read the Image and build a new one fail with an 403 Error.

                    // It's going to hate us for doing this, but another request...
                    $image = @imagecreatefromstring(fetch_web_data($url));


So at this Stage in the Code,
i think the Forum Code better should check if the Image itself was an external Image or an internal Attachment.

If it was an internal Attachment it should use the Values for this Attachment, stored in the DB, or should get the Dimension directly from the Attachment.
Maybe the same Way like the Forum Code did in the Admin Control Panel in the List of the Attachments, in the First Column.
There where the dimension of the Pictures listed behind the Names of the Attachments.

Unless this was fixed, you have to put the width and height Values in the IMG Tags manually.

Maybe we can allow the server/Forum Code itself in the Display.php to get(Download) the Attachment after/in this Section ?
// Download an attachment.
function Download()

Or where did the Forum checks the Right to access a Attachment ?
There we could allow the Access for the Own Server/Forum Code ?
Instead of Retrieving the Values from the DB ?

Arantor

How big is the picture, exactly? (both in terms of physical size and image dimensions)

petb

For example a 1280x920 with 121 KByte,
Forum Max width and height adjust to 640x480
But, no matter which Size or Diemensions !
The same Image in a Board viewable for Guests, is working fine.
I am 100% sure that this is related to the Situation i described.

I have checked the Server Logs.
Server IP - - [20/May/2012:14:52:42 +0200] "HEAD /index.php?action=dlattach;topic=2209.0;attach=4322;image HTTP/1.1" 403 - "-" "PHP/SMF"
Which is the result from the Code here:
           // Send the HEAD request (since we don't have to worry about chunked, HTTP/1.1 is fine here.)
            fwrite($fp, 'HEAD /' . $match[2] . ' HTTP/1.1' . "\r\n" . 'Host: ' . $match[1] . "\r\n" . 'User-Agent: PHP/SMF' . "\r\n" . 'Connection: close' . "\r\n\r\n");

The Code itself get an 403, which is normal because the affected Attachment was not viewable without Permission.
The Code itself has no access Right, because the php function acts with the Server IP as a Guest User, direct on the Server, not from the user Sight.
So the php Code listed above was not a Forum User.
The Forum hasn't and couldn't set a session id to the php code.
To get the Forum Code the rights as a user, it hast to login with the user ID via php to get access with user rights instead of Guest Rights.
Like this:

           //Before we can see the Attachment we have to take car that we are logged in as a user which hast rights to access the attachment
           ....php code to login with userdata (Loginname, Passwort)
          // after login, getting the session id and so on we can go further with accessing the attachment.

           // Send the HEAD request (since we don't have to worry about chunked, HTTP/1.1 is fine here.)
            fwrite($fp, 'HEAD /' . $match[2] . ' HTTP/1.1' . "\r\n" . 'Host: ' . $match[1] . "\r\n" . 'User-Agent: PHP/SMF' . "\r\n" . 'Connection: close' . "\r\n\r\n");

without a login the Code has only the rights like a Guest.

So i think a better Way was to switch between external hosted Images and Forum Attachments, to handle each of them separately.

Arantor

*nods* You're right, just that there are other circumstances that can cause this behaviour (namely if the file is too large to be handled)

The problem with it validating the length in the way you're suggesting is that it can actually open the not-visible-to-guests file to guests, there's no safe way to send it.

You see, the only way to be signed in to SMF is with a cookie, and you can't send that cookie directly/safely/cleanly in the request to get the information of the image size.

petb

OK, so back to my Whish to handle external Images differently to Forum-Owned Attachments, where the Access Rights/restrictions could be handled through Forum Code.
--------------------------
if (attachment url != domain){
   //go through the original code to handle external attachments
}else{
   //attachment stays in forum
   if (user_allowed_to_view_the_attachment){
      //check attachment values from attachment context or something forum designed code
   }
}
--------------------
i will take a look to see if i found something in the DB (attachment context)
The expensive Way is to get the attachment_hash (filename) with an own DB Query and then check the file location www.yourserver.com/attachments/attachment_hash

But i hope at this Stage in the subs.php in the function url_image_size($url)
there was an easier Way to become the attachment infos.... ?
Because the calling Process,... Posting the Post possibly allreday has this information ?
Which he can pass to the Function ?
Or can be accessed by a global ?
The Calling Process has something like ....isAllowedtoView...
so there is the check if the user was allowed to view allready done ?

So my Main Question was:
Is there an Way to get the attachment Infos within the function  url_image_size($url) in the Subs.php
without coding an own DB Query for that ?

OR

Is it possible to handle Forum-Owned Attachment Infos wihtinh the parent Process ?


Arantor

No, there isn't, because url_image_size is designed to be a general purpose facility, not what you're after, and you'd have to do an extra DB query whatever happens, because that stuff just is not in any kind of scope that can be used.

In any case, why attach something only to then include it in another post? Why not use something like Aeva Media to handle all of it?

petb

THX for the Info !

I want this automation, so the User does not has to take care about the maximum display size of the Forum manually.
And this should also work in a Board which is not viewable to guests.

I dont want an extra Mod like "show attachment inline mods"
And also not such a huge mod like AEVA.
I dont want to be dependent from a Mod.
As less of Mods i use,
as less i have to wait for an Update,
as less of Problems can occur if i sometimes decide to change the Forum Software.

I think it was a SMF fault to build this Automation and allow the usage of Attachment Links within the IMG Tags,
but forgot to take Care the Function will work by every board the user can write into it.

So i am searching for an workaround.  :)

Also i thougt about an cron job to parse alle the Message entrys in den DB for the IMG tags and check the width and height in there.
So therefore is no need of any extra Code in the Forum.
But this is also expensive in load, if the Forum hast a lot of Messages/Attachments.
So the Way to handle this in the message storing Process looks cheaper.

Arantor

It's not SMF's fault, you're not really supposed to be using attachments in that fashion. Attachments are supposed to be to attached to single posts, not really embedded in posts at all, so while it's 'SMF's fault' from your perspective, from SMF's perspective it's your fault for not using it how it was designed.

It's designed primarily for external links, not for attachments. In any case if you move software you'll find this problem wherever you go, especially as not all other systems even check the size of images...

I can also tell you now, it won't be changed in 2.0.x, doubtful to be changed in 2.1 which means if you want to do anything else, you'll have to look at mods. You might try the Highslide mod.

petb

OK, different Sights of View, produces different Meanings  ;D

Highslide was not the Thing i want.
Seeing the Image in the Post was still enough.
Only the SMF internal "auto reduce Display Size" Function is the Thing i am Missing,
but only in Guest hidden Boards.
So this is not enough Reason to install a mod.

Further i will take a Look to implement a IF/Then Solution wit an DB query, to check the Attachment table for height and width of the attachment.
Just use the Attachment Ids to get the Values from the Attachment table.


Advertisement: