diff options
| -rw-r--r-- | modules/digibug/config/digibug.php | 29 | ||||
| -rw-r--r-- | modules/digibug/controllers/digibug.php | 50 | ||||
| -rw-r--r-- | modules/digibug/helpers/digibug_menu.php | 2 | ||||
| -rw-r--r-- | modules/digibug/tests/Digibug_Controller_Test.php | 91 |
4 files changed, 159 insertions, 13 deletions
diff --git a/modules/digibug/config/digibug.php b/modules/digibug/config/digibug.php new file mode 100644 index 00000000..6cd165d1 --- /dev/null +++ b/modules/digibug/config/digibug.php @@ -0,0 +1,29 @@ +<?php defined("SYSPATH") or die("No direct script access."); +/** + * Gallery - a web based photo album viewer and editor + * Copyright (C) 2000-2009 Bharat Mediratta + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at + * your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. + */ +/** + * PHP Mail Configuration parameters + * from => email address that appears as the from address + * line-length => word wrap length (PHP documentations suggest no larger tha 70 characters + * reply-to => what goes into the reply to header + */ +$config["ranges"] = array( + "Digibug1" => array("low" => "65.249.152.0", "high" => "65.249.159.255"), + "Digibug2" => array("low" => "208.122.55.0", "high" => "208.122.55.255") +); diff --git a/modules/digibug/controllers/digibug.php b/modules/digibug/controllers/digibug.php index d881db9b..e0f4b6bf 100644 --- a/modules/digibug/controllers/digibug.php +++ b/modules/digibug/controllers/digibug.php @@ -21,7 +21,7 @@ class Digibug_Controller extends Controller { public function print_photo($id) { access::verify_csrf(); $item = ORM::factory("item", $id); - access::required("view_full", $item); + access::required("view", $item); if (access::group_can(group::everybody(), "view_full", $item)) { $full_url = $item->file_url(true); @@ -56,6 +56,30 @@ class Digibug_Controller extends Controller { } public function print_proxy($type, $id) { + // If its a request for the full size then make sure we are coming from an + // authorized address + if ($type == "full") { + $remote_addr = ip2long($this->input->server("REMOTE_ADDR")); + if ($remote_addr === false) { + Kohana::show_404(); + } + $config = Kohana::config("digibug"); + + $authorized = false; + foreach ($config["ranges"] as $ip_range) { + $low = ip2long($ip_range["low"]); + $high = ip2long($ip_range["high"]); + $authorized = $low !== false && $high !== false && + $low <= $remote_addr && $remote_addr <= $high; + if ($authorized) { + break; + } + } + if (!$authorized) { + Kohana::show_404(); + } + } + $proxy = ORM::factory("digibug_proxy", array("uuid" => $id)); if (!$proxy->loaded || !$proxy->item->loaded) { Kohana::show_404(); @@ -69,16 +93,18 @@ class Digibug_Controller extends Controller { // We don't need to save the session for this request Session::abort_save(); - // Dump out the image - header("Content-Type: $proxy->item->mime_type"); - Kohana::close_buffers(false); - $fd = fopen($file, "rb"); - fpassthru($fd); - fclose($fd); + if (!TEST_MODE) { + // Dump out the image + header("Content-Type: $proxy->item->mime_type"); + Kohana::close_buffers(false); + $fd = fopen($file, "rb"); + fpassthru($fd); + fclose($fd); - // If the request was for the image and not the thumb, then delete the proxy. - if ($type == "full") { - $proxy->delete(); + // If the request was for the image and not the thumb, then delete the proxy. + if ($type == "full") { + $proxy->delete(); + } } $this->_clean_expired(); @@ -89,8 +115,8 @@ class Digibug_Controller extends Controller { } private function _clean_expired() { - Database::instance()>query( - "DELETE FROM {digibug_proxy} " . + Database::instance()->query( + "DELETE FROM {digibug_proxies} " . "WHERE request_date <= (CURDATE() - INTERVAL 10 DAY) " . "LIMIT 20"); } diff --git a/modules/digibug/helpers/digibug_menu.php b/modules/digibug/helpers/digibug_menu.php index c95cada2..3f70fa24 100644 --- a/modules/digibug/helpers/digibug_menu.php +++ b/modules/digibug/helpers/digibug_menu.php @@ -37,7 +37,7 @@ class digibug_menu { } static function thumb($menu, $theme, $item) { - if ($item->type == "photo" && access::can("view_full", $item)) { + if ($item->type == "photo") { $menu->get("options_menu") ->append( Menu::factory("link") diff --git a/modules/digibug/tests/Digibug_Controller_Test.php b/modules/digibug/tests/Digibug_Controller_Test.php new file mode 100644 index 00000000..6838da5c --- /dev/null +++ b/modules/digibug/tests/Digibug_Controller_Test.php @@ -0,0 +1,91 @@ +<?php defined("SYSPATH") or die("No direct script access."); +/** + * Gallery - a web based photo album viewer and editor + * Copyright (C) 2000-2009 Bharat Mediratta + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at + * your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. + */ +class Digibug_Controller_Test extends Unit_Test_Case { + private $_proxy; + private $_item; + private $_server; + + public function teardown() { + $_SERVER = $this->_server; + + if ($this->_proxy) { + $this->_proxy->delete(); + } + } + + public function setup() { + $this->_server = $_SERVER; + + $root = ORM::factory("item", 1); + $this->_album = album::create($root, rand(), "test album"); + access::deny(group::everybody(), "view_full", $this->_album); + access::deny(group::registered_users(), "view_full", $this->_album); + + $rand = rand(); + $this->_item = photo::create($this->_album, MODPATH . "gallery/tests/test.jpg", "$rand.jpg", + $rand, $rand); + $this->_proxy = ORM::factory("digibug_proxy"); + $this->_proxy->uuid = md5(rand()); + $this->_proxy->item_id = $this->_item->id; + $this->_proxy->save(); + } + + public function digibug_request_thumb_test() { + try { + $controller = new Digibug_Controller(); + $controller->print_proxy("thumb", $this->_proxy->uuid); + } catch (Exception $e) { + $this->assert_true(false, "Exception Occurred\n" . $e->__toString()); + } + } + + public function digibug_request_full_malicious_ip_test() { + $_SERVER["REMOTE_ADDR"] = "123.456.789.012"; + try { + $controller = new Digibug_Controller(); + $controller->print_proxy("full", $this->_proxy->uuid); + $this->assert_true(false, "Should have failed with an 404 exception"); + } catch (Exception $e) { + if (get_class($e) !== "Kohana_404_Exception") { + $this->assert_true(false, "Exception Occurred\n" . $e->__toString()); + } + } + } + + public function digibug_request_full_authorized_ip_test() { + $config = Kohana::config("digibug"); + if (empty($config)) { + $this->assert_true(false, "The Digibug config is empty"); + } + $ranges = array_values($config["ranges"]); + $low = ip2long($ranges[0]["low"]); + $high = ip2long($ranges[0]["high"]); + + $_SERVER["REMOTE_ADDR"] = long2ip(rand($low, $high)); + try { + $controller = new Digibug_Controller(); + $controller->print_proxy("full", $this->_proxy->uuid); + $results = ob_get_contents(); + } catch (Exception $e) { + $this->assert_true(false, "Exception Occurred\n" . $e->__toString()); + } + } + +} |