diff options
Diffstat (limited to 'modules/digibug')
| -rw-r--r-- | modules/digibug/config/digibug.php | 29 | ||||
| -rw-r--r-- | modules/digibug/controllers/digibug.php | 52 | ||||
| -rw-r--r-- | modules/digibug/helpers/digibug_event.php (renamed from modules/digibug/helpers/digibug_menu.php) | 34 | ||||
| -rw-r--r-- | modules/digibug/helpers/digibug_installer.php | 2 | ||||
| -rw-r--r-- | modules/digibug/helpers/digibug_theme.php | 2 | ||||
| -rw-r--r-- | modules/digibug/tests/Digibug_Controller_Test.php | 78 | ||||
| -rw-r--r-- | modules/digibug/views/admin_digibug.html.php | 2 |
7 files changed, 166 insertions, 33 deletions
diff --git a/modules/digibug/config/digibug.php b/modules/digibug/config/digibug.php new file mode 100644 index 00000000..6cd165d1 --- /dev/null +++ b/modules/digibug/config/digibug.php @@ -0,0 +1,29 @@ +<?php defined("SYSPATH") or die("No direct script access."); +/** + * Gallery - a web based photo album viewer and editor + * Copyright (C) 2000-2009 Bharat Mediratta + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at + * your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. + */ +/** + * PHP Mail Configuration parameters + * from => email address that appears as the from address + * line-length => word wrap length (PHP documentations suggest no larger tha 70 characters + * reply-to => what goes into the reply to header + */ +$config["ranges"] = array( + "Digibug1" => array("low" => "65.249.152.0", "high" => "65.249.159.255"), + "Digibug2" => array("low" => "208.122.55.0", "high" => "208.122.55.255") +); diff --git a/modules/digibug/controllers/digibug.php b/modules/digibug/controllers/digibug.php index d881db9b..0939704b 100644 --- a/modules/digibug/controllers/digibug.php +++ b/modules/digibug/controllers/digibug.php @@ -21,7 +21,7 @@ class Digibug_Controller extends Controller { public function print_photo($id) { access::verify_csrf(); $item = ORM::factory("item", $id); - access::required("view_full", $item); + access::required("view", $item); if (access::group_can(group::everybody(), "view_full", $item)) { $full_url = $item->file_url(true); @@ -50,12 +50,36 @@ class Digibug_Controller extends Controller { "image_width_1" => $item->width, "thumb_height_1" => $item->thumb_height, "thumb_width_1" => $item->thumb_width, - "title_1" => p::purify($item->title)); + "title_1" => html::purify($item->title)); print $v; } public function print_proxy($type, $id) { + // If its a request for the full size then make sure we are coming from an + // authorized address + if ($type == "full") { + $remote_addr = ip2long($this->input->server("REMOTE_ADDR")); + if ($remote_addr === false) { + Kohana::show_404(); + } + $config = Kohana::config("digibug"); + + $authorized = false; + foreach ($config["ranges"] as $ip_range) { + $low = ip2long($ip_range["low"]); + $high = ip2long($ip_range["high"]); + $authorized = $low !== false && $high !== false && + $low <= $remote_addr && $remote_addr <= $high; + if ($authorized) { + break; + } + } + if (!$authorized) { + Kohana::show_404(); + } + } + $proxy = ORM::factory("digibug_proxy", array("uuid" => $id)); if (!$proxy->loaded || !$proxy->item->loaded) { Kohana::show_404(); @@ -69,16 +93,18 @@ class Digibug_Controller extends Controller { // We don't need to save the session for this request Session::abort_save(); - // Dump out the image - header("Content-Type: $proxy->item->mime_type"); - Kohana::close_buffers(false); - $fd = fopen($file, "rb"); - fpassthru($fd); - fclose($fd); + if (!TEST_MODE) { + // Dump out the image + header("Content-Type: $proxy->item->mime_type"); + Kohana::close_buffers(false); + $fd = fopen($file, "rb"); + fpassthru($fd); + fclose($fd); - // If the request was for the image and not the thumb, then delete the proxy. - if ($type == "full") { - $proxy->delete(); + // If the request was for the image and not the thumb, then delete the proxy. + if ($type == "full") { + $proxy->delete(); + } } $this->_clean_expired(); @@ -89,8 +115,8 @@ class Digibug_Controller extends Controller { } private function _clean_expired() { - Database::instance()>query( - "DELETE FROM {digibug_proxy} " . + Database::instance()->query( + "DELETE FROM {digibug_proxies} " . "WHERE request_date <= (CURDATE() - INTERVAL 10 DAY) " . "LIMIT 20"); } diff --git a/modules/digibug/helpers/digibug_menu.php b/modules/digibug/helpers/digibug_event.php index c95cada2..d2830b80 100644 --- a/modules/digibug/helpers/digibug_menu.php +++ b/modules/digibug/helpers/digibug_event.php @@ -17,8 +17,8 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. */ -class digibug_menu { - static function admin($menu, $theme) { +class digibug_event_Core { + static function admin_menu($menu, $theme) { $menu->get("settings_menu") ->append(Menu::factory("link") ->id("digibug_menu") @@ -26,25 +26,25 @@ class digibug_menu { ->url(url::site("admin/digibug"))); } - static function photo($menu, $theme) { + static function photo_menu($menu, $theme) { $item = $theme->item(); - $menu->append( - Menu::factory("link") - ->id("digibug") - ->label(t("Print with Digibug")) - ->url(url::site("digibug/print_photo/$item->id?csrf=$theme->csrf")) - ->css_id("gDigibugLink")); + $menu->append(Menu::factory("link") + ->id("digibug") + ->label(t("Print with Digibug")) + ->url(url::site("digibug/print_photo/$item->id?csrf=$theme->csrf")) + ->css_id("gDigibugLink") + ->css_class("ui-icon-print")); } - static function thumb($menu, $theme, $item) { - if ($item->type == "photo" && access::can("view_full", $item)) { + static function context_menu($menu, $theme, $item) { + if ($item->type == "photo") { $menu->get("options_menu") - ->append( - Menu::factory("link") - ->id("digibug") - ->label(t("Print with Digibug")) - ->url(url::site("digibug/print_photo/$item->id?csrf=$theme->csrf")) - ->css_id("gDigibugLink")); + ->append(Menu::factory("link") + ->id("digibug") + ->label(t("Print with Digibug")) + ->url(url::site("digibug/print_photo/$item->id?csrf=$theme->csrf")) + ->css_id("gDigibugLink") + ->css_class("ui-icon-print")); } } } diff --git a/modules/digibug/helpers/digibug_installer.php b/modules/digibug/helpers/digibug_installer.php index 1cd78b44..7e8145d2 100644 --- a/modules/digibug/helpers/digibug_installer.php +++ b/modules/digibug/helpers/digibug_installer.php @@ -26,7 +26,7 @@ class digibug_installer { `request_date` TIMESTAMP NOT NULL DEFAULT current_timestamp, `item_id` int(9) NOT NULL, PRIMARY KEY (`id`)) - ENGINE=InnoDB DEFAULT CHARSET=utf8;"); + DEFAULT CHARSET=utf8;"); module::set_var("digibug", "company_id", "3153"); module::set_var("digibug", "event_id", "8491"); diff --git a/modules/digibug/helpers/digibug_theme.php b/modules/digibug/helpers/digibug_theme.php index f94d07c6..ceda55b5 100644 --- a/modules/digibug/helpers/digibug_theme.php +++ b/modules/digibug/helpers/digibug_theme.php @@ -19,6 +19,6 @@ */ class digibug_theme_Core { static function head($theme) { - $theme->script("modules/digibug/js/digibug.js"); + $theme->script("digibug.js"); } } diff --git a/modules/digibug/tests/Digibug_Controller_Test.php b/modules/digibug/tests/Digibug_Controller_Test.php new file mode 100644 index 00000000..859ff637 --- /dev/null +++ b/modules/digibug/tests/Digibug_Controller_Test.php @@ -0,0 +1,78 @@ +<?php defined("SYSPATH") or die("No direct script access."); +/** + * Gallery - a web based photo album viewer and editor + * Copyright (C) 2000-2009 Bharat Mediratta + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at + * your option) any later version. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA 02110-1301, USA. + */ +class Digibug_Controller_Test extends Unit_Test_Case { + private $_proxy; + private $_item; + private $_server; + + public function teardown() { + $_SERVER = $this->_server; + + if ($this->_proxy) { + $this->_proxy->delete(); + } + } + + public function setup() { + $this->_server = $_SERVER; + + $root = ORM::factory("item", 1); + $this->_album = album::create($root, rand(), "test album"); + access::deny(group::everybody(), "view_full", $this->_album); + access::deny(group::registered_users(), "view_full", $this->_album); + + $rand = rand(); + $this->_item = photo::create($this->_album, MODPATH . "gallery/tests/test.jpg", "$rand.jpg", + $rand, $rand); + $this->_proxy = ORM::factory("digibug_proxy"); + $this->_proxy->uuid = md5(rand()); + $this->_proxy->item_id = $this->_item->id; + $this->_proxy->save(); + } + + public function digibug_request_thumb_test() { + $controller = new Digibug_Controller(); + $controller->print_proxy("thumb", $this->_proxy->uuid); + } + + public function digibug_request_full_malicious_ip_test() { + $_SERVER["REMOTE_ADDR"] = "123.123.123.123"; + try { + $controller = new Digibug_Controller(); + $controller->print_proxy("full", $this->_proxy->uuid); + $this->assert_true(false, "Should have failed with an 404 exception"); + } catch (Kohana_404_Exception $e) { + // expected behavior + } + } + + public function digibug_request_full_authorized_ip_test() { + $config = Kohana::config("digibug"); + $this->assert_true(!empty($config), "The Digibug config is empty"); + + $ranges = array_values($config["ranges"]); + $low = ip2long($ranges[0]["low"]); + $high = ip2long($ranges[0]["high"]); + + $_SERVER["REMOTE_ADDR"] = long2ip(rand($low, $high)); + $controller = new Digibug_Controller(); + $controller->print_proxy("full", $this->_proxy->uuid); + } +} diff --git a/modules/digibug/views/admin_digibug.html.php b/modules/digibug/views/admin_digibug.html.php index 7e4436ff..9a1838f7 100644 --- a/modules/digibug/views/admin_digibug.html.php +++ b/modules/digibug/views/admin_digibug.html.php @@ -16,7 +16,7 @@ <p> <?= t("You don't need an account with Digibug, but if you <a href=\"%signup_url\">register with Digibug</a> and enter your Digibug id in the <a href=\"%advanced_settings_url\">Advanced Settings</a> page you can make money off of your photos!", array("signup_url" => "http://www.digibug.com/signup.php", - "advanced_settings_url" => url::site("admin/advanced_settings"))) ?> + "advanced_settings_url" => html::mark_clean(url::site("admin/advanced_settings")))) ?> </p> </div> </div> |