From 7c2cea01a50227088d9da567b08b9fde54b4b95f Mon Sep 17 00:00:00 2001 From: Tim Almdal Date: Thu, 23 Jul 2009 07:02:10 -0700 Subject: Fix for ticket #502 This patch allows users with only view permission to request fullsize prints using Digibug. There is now a Digibug config file that contains the IP ranges of the Digibug servers. Any request for the full size image via the print proxy must come from within the ranges in the config file. The reason for the "if (!Test_Mode) {..." is that the print proxy makes a call to Kohana::close_buffers, which closes all the output buffers and then we see the image download on the console which messes up the test output. --- modules/digibug/controllers/digibug.php | 50 +++++++++++++++++++++++++-------- 1 file changed, 38 insertions(+), 12 deletions(-) (limited to 'modules/digibug/controllers') diff --git a/modules/digibug/controllers/digibug.php b/modules/digibug/controllers/digibug.php index d881db9b..e0f4b6bf 100644 --- a/modules/digibug/controllers/digibug.php +++ b/modules/digibug/controllers/digibug.php @@ -21,7 +21,7 @@ class Digibug_Controller extends Controller { public function print_photo($id) { access::verify_csrf(); $item = ORM::factory("item", $id); - access::required("view_full", $item); + access::required("view", $item); if (access::group_can(group::everybody(), "view_full", $item)) { $full_url = $item->file_url(true); @@ -56,6 +56,30 @@ class Digibug_Controller extends Controller { } public function print_proxy($type, $id) { + // If its a request for the full size then make sure we are coming from an + // authorized address + if ($type == "full") { + $remote_addr = ip2long($this->input->server("REMOTE_ADDR")); + if ($remote_addr === false) { + Kohana::show_404(); + } + $config = Kohana::config("digibug"); + + $authorized = false; + foreach ($config["ranges"] as $ip_range) { + $low = ip2long($ip_range["low"]); + $high = ip2long($ip_range["high"]); + $authorized = $low !== false && $high !== false && + $low <= $remote_addr && $remote_addr <= $high; + if ($authorized) { + break; + } + } + if (!$authorized) { + Kohana::show_404(); + } + } + $proxy = ORM::factory("digibug_proxy", array("uuid" => $id)); if (!$proxy->loaded || !$proxy->item->loaded) { Kohana::show_404(); @@ -69,16 +93,18 @@ class Digibug_Controller extends Controller { // We don't need to save the session for this request Session::abort_save(); - // Dump out the image - header("Content-Type: $proxy->item->mime_type"); - Kohana::close_buffers(false); - $fd = fopen($file, "rb"); - fpassthru($fd); - fclose($fd); + if (!TEST_MODE) { + // Dump out the image + header("Content-Type: $proxy->item->mime_type"); + Kohana::close_buffers(false); + $fd = fopen($file, "rb"); + fpassthru($fd); + fclose($fd); - // If the request was for the image and not the thumb, then delete the proxy. - if ($type == "full") { - $proxy->delete(); + // If the request was for the image and not the thumb, then delete the proxy. + if ($type == "full") { + $proxy->delete(); + } } $this->_clean_expired(); @@ -89,8 +115,8 @@ class Digibug_Controller extends Controller { } private function _clean_expired() { - Database::instance()>query( - "DELETE FROM {digibug_proxy} " . + Database::instance()->query( + "DELETE FROM {digibug_proxies} " . "WHERE request_date <= (CURDATE() - INTERVAL 10 DAY) " . "LIMIT 20"); } -- cgit v1.2.3 From c01ac42c4604b3b129e8089e0dc683ebd418b380 Mon Sep 17 00:00:00 2001 From: Andy Staudacher Date: Sat, 29 Aug 2009 12:48:40 -0700 Subject: Refactor all calls of p::clean() to SafeString::of() and p::purify() to SafeString::purify(). Removing any p::clean() calls for arguments to t() and t2() since their args are wrapped in a SafeString anyway. --- modules/comment/controllers/comments.php | 8 +++--- modules/comment/helpers/comment_rss.php | 8 +++--- .../views/admin_block_recent_comments.html.php | 6 ++--- modules/comment/views/admin_comments.html.php | 10 ++++---- modules/comment/views/comment.html.php | 6 ++--- modules/comment/views/comment.mrss.php | 12 ++++----- modules/comment/views/comments.html.php | 6 ++--- modules/digibug/controllers/digibug.php | 2 +- modules/exif/views/exif_dialog.html.php | 4 +-- modules/g2_import/helpers/g2_import.php | 2 +- .../controllers/admin_advanced_settings.php | 2 +- modules/gallery/controllers/movies.php | 2 +- modules/gallery/controllers/photos.php | 2 +- modules/gallery/controllers/quick.php | 10 ++++---- modules/gallery/helpers/gallery_rss.php | 4 +-- modules/gallery/helpers/gallery_task.php | 4 +-- modules/gallery/helpers/p.php | 29 ---------------------- .../gallery/views/admin_advanced_settings.html.php | 8 +++--- .../gallery/views/admin_block_log_entries.html.php | 2 +- .../views/admin_block_photo_stream.html.php | 4 +-- modules/gallery/views/admin_maintenance.html.php | 2 +- .../views/admin_maintenance_show_log.html.php | 2 +- modules/gallery/views/after_install.html.php | 2 +- modules/gallery/views/move_tree.html.php | 8 +++--- modules/gallery/views/permissions_browse.html.php | 4 +-- modules/gallery/views/permissions_form.html.php | 2 +- modules/gallery/views/simple_uploader.html.php | 6 ++--- modules/info/views/info_block.html.php | 10 ++++---- .../notification/views/comment_published.html.php | 12 ++++----- modules/notification/views/item_added.html.php | 8 +++--- modules/notification/views/item_deleted.html.php | 6 ++--- modules/notification/views/item_updated.html.php | 12 ++++----- modules/organize/controllers/organize.php | 10 ++++---- modules/organize/views/organize.html.php | 2 +- modules/organize/views/organize_album.html.php | 2 +- modules/rss/views/feed.mrss.php | 14 +++++------ modules/search/views/search.html.php | 10 ++++---- .../server_add/controllers/admin_server_add.php | 4 +-- modules/server_add/views/server_add_tree.html.php | 2 +- .../views/server_add_tree_dialog.html.php | 6 ++--- modules/tag/controllers/admin_tags.php | 8 +++--- modules/tag/helpers/tag_rss.php | 2 +- modules/tag/views/admin_tags.html.php | 2 +- modules/tag/views/tag_cloud.html.php | 2 +- modules/user/controllers/admin_users.php | 14 +++++------ modules/user/controllers/login.php | 4 +-- modules/user/controllers/logout.php | 4 +-- modules/user/controllers/password.php | 2 +- modules/user/views/admin_users.html.php | 8 +++--- modules/user/views/admin_users_group.html.php | 8 +++--- modules/user/views/login.html.php | 6 ++--- modules/user/views/reset_password.html.php | 2 +- system/helpers/request.php | 2 +- themes/default/views/album.html.php | 4 +-- themes/default/views/dynamic.html.php | 4 +-- themes/default/views/header.html.php | 4 +-- themes/default/views/movie.html.php | 4 +-- themes/default/views/page.html.php | 8 +++--- themes/default/views/photo.html.php | 4 +-- 59 files changed, 159 insertions(+), 188 deletions(-) delete mode 100644 modules/gallery/helpers/p.php (limited to 'modules/digibug/controllers') diff --git a/modules/comment/controllers/comments.php b/modules/comment/controllers/comments.php index 9fb4796e..87633f4c 100644 --- a/modules/comment/controllers/comments.php +++ b/modules/comment/controllers/comments.php @@ -39,9 +39,9 @@ class Comments_Controller extends REST_Controller { foreach ($comments as $comment) { $data[] = array( "id" => $comment->id, - "author_name" => p::clean($comment->author_name()), + "author_name" => SafeString::of($comment->author_name()), "created" => $comment->created, - "text" => nl2br(p::purify($comment->text))); + "text" => nl2br(SafeString::purify($comment->text))); } print json_encode($data); break; @@ -126,9 +126,9 @@ class Comments_Controller extends REST_Controller { array("result" => "success", "data" => array( "id" => $comment->id, - "author_name" => p::clean($comment->author_name()), + "author_name" => SafeString::of($comment->author_name()), "created" => $comment->created, - "text" => nl2br(p::purify($comment->text))))); + "text" => nl2br(SafeString::purify($comment->text))))); } else { $view = new Theme_View("comment.html", "fragment"); $view->comment = $comment; diff --git a/modules/comment/helpers/comment_rss.php b/modules/comment/helpers/comment_rss.php index ab3d2283..d0f15010 100644 --- a/modules/comment/helpers/comment_rss.php +++ b/modules/comment/helpers/comment_rss.php @@ -23,7 +23,7 @@ class comment_rss_Core { $feeds["comment/newest"] = t("All new comments"); if ($item) { $feeds["comment/item/$item->id"] = - t("Comments on %title", array("title" => p::purify($item->title))); + t("Comments on %title", array("title" => SafeString::purify($item->title))); } return $feeds; } @@ -53,13 +53,13 @@ class comment_rss_Core { $item = $comment->item(); $feed->children[] = new ArrayObject( array("pub_date" => date("D, d M Y H:i:s T", $comment->created), - "text" => nl2br(p::purify($comment->text)), + "text" => nl2br(SafeString::purify($comment->text)), "thumb_url" => $item->thumb_url(), "thumb_height" => $item->thumb_height, "thumb_width" => $item->thumb_width, "item_uri" => url::abs_site("{$item->type}s/$item->id"), - "title" => p::purify($item->title), - "author" => p::clean($comment->author_name())), + "title" => SafeString::purify($item->title), + "author" => SafeString::of($comment->author_name())), ArrayObject::ARRAY_AS_PROPS); } diff --git a/modules/comment/views/admin_block_recent_comments.html.php b/modules/comment/views/admin_block_recent_comments.html.php index 516a8181..2c7a5cf1 100644 --- a/modules/comment/views/admin_block_recent_comments.html.php +++ b/modules/comment/views/admin_block_recent_comments.html.php @@ -4,13 +4,13 @@
  • "> " class="gAvatar" - alt="author_name()) ?>" + alt="author_name()) ?>" width="32" height="32" /> created) ?> %author_name said %comment_text', - array("author_name" => p::clean($comment->author_name()), - "comment_text" => text::limit_words(nl2br(p::purify($comment->text)), 50))); ?> + array("author_name" => SafeString::of($comment->author_name()), + "comment_text" => text::limit_words(nl2br(SafeString::purify($comment->text)), 50))); ?>
    • diff --git a/modules/comment/views/admin_comments.html.php b/modules/comment/views/admin_comments.html.php index 9fe7164b..b27e3166 100644 --- a/modules/comment/views/admin_comments.html.php +++ b/modules/comment/views/admin_comments.html.php @@ -108,12 +108,12 @@ " class="gAvatar" - alt="author_name()) ?>" + alt="author_name()) ?>" width="40" height="40" /> -

    author_name()) ?>

    +

    author_name()) ?>

    @@ -122,7 +122,7 @@ has_thumb()): ?> <?= p::purify($item->title) ?>thumb_width, $item->thumb_height, 75) ?> /> @@ -132,7 +132,7 @@

    created) ?>

    - text)) ?> + text)) ?>