Active Hyperlinks in Image Captions v1.3 - bbcode [url] alternative Active Hyperlinks in Image Captions v1.3 - bbcode [url] alternative
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Active Hyperlinks in Image Captions v1.3 - bbcode [url] alternative

Started by Joe Carver, June 17, 2009, 04:25:59 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Joe Carver

This plugin will allow users to add active hyperlinks in the Image Caption/Description field. The function make_clickable that is built into Coppermine is used to create the output of an active hyperlink. This is the same function used when Comments (with hyperlinks) are displayed.

Just enter the text of the hyperlink as a "www" or "http://" into the Image Description field. It will then be active and clickable when the image is displayed.

    Examples to use

          ++++++

    This can be an alternative for users who miss the bbcode links from older versions of Coppermine. This does not depend on bbcode at all. If you use bbcode [ u r l ] the link + plugin will not work (or be seen either!)
         
          ++++++

    The attached .zip(s) have revisions 1.2 - 1.3. Reports are welcome. Support will be very limited.

      Notes:
      • Words like "delete", "edit", etc will be stripped from the caption and hyperlink
      • Very long or complex URL's might not show
      • You cannot change the text showing the hyperlink
      • this is different than bbcode!

            ++++++

      - Version 1.2 - Recommended for single user galleries only
      Warning - Use at your own risk - see below - Version 1.2


      - Version 1.3 is recommended for most users
         
            ++++++

      To add hyperlinks in Image Titles - Version 1.2 ONLY has the option. Edit codebase.php where shown in the code and also shown in readme.txt file.

      Joachim Müller

      How did you circumvent the issues that lead to bbcode [ u r l ] getting disabled for security reasons?

      Joe Carver

      When someone posted about hyperlinks being displayed in Comments  I looked around a little and found the function
      make_clickable in functions.inc.php. Like the SMF forum here it takes the text and converts it on output.
      Yesterday it started as a mod. and I found the plugin hook at the exact spot where I was modding the theme.

      At the moment I am assuming that the function might be called elsewhere and that there might be troubles with this if the links are too long or complex.

      Since I am about to repost with a version 1.1 that also affects images titles your  opinion is greatly appreciated.

      Joachim Müller

      Let me rephrase: how do you make sure that the hyperlinks posted by visitors are not being abused. Did you read the announcement thread "cpg1.4.21 Security release - upgrade mandatory!" and the threads refered to in that thread? That announcement thread explains why bbcode parsing has been disabled for the tags [url] and [ i m g ]. Simply ignoring the vulnerability that lead to the release of cpg1.4.21 and re-enabling the [ u r l ] tag is silly and dangerous. So please answer my question: what have you done to make sure that the vulnerabilities do not apply any longer?

      Joe Carver

      The links are not done via bbcode. The function make_clickable is also used in displayimage.php and themes.inc.php for the user name and for the comment display. (<!--Coppermine Photo Gallery 1.4.23 (stable)-->)

      Function make_clickable will add <a href=....... to input that leads with www , http., etc

      I assumed that input tagged with bbcode would be filtered by db_input.php to the point that this action/plugin would result in a non-functional link.

      As far as users abusing the availability of space to post bad/spam links, I take that now as a fact of life.....

      Is there any danger if Coppermine is accepting and then translating a link like this? http://forum.coppermine-gallery.net/   (the link was not wrapped with a url tag on posting)

      Joachim Müller

      Quote from: i-imagine on June 17, 2009, 09:08:00 PM
      Is there any danger if Coppermine is accepting and then translating a link like this? http://forum.coppermine-gallery.net/   (the link was not wrapped with a url tag on posting)
      Yes, of course: that's why bbcode tags for links have been disabled. That's why I wanted you to read about the vulnerability. Your plugin is well-meant, but not acceptable, as it opens a serious security problem. Moving.

      @all: do not use this plugin

      Joe Carver

      So if that is the case then is the default behavior of Coppermine as regards Comment input and display a risk for users? The plugin uses the exact same code with the same availability for user input unless I have missed something.

      Thanks

       

      phill104

      You might have missed something. Links in comments have been disabled for some time now du to the security problem. See the thread Joachim linked to.
      It is a mistake to think you can solve any major problems just with potatoes.

      Joe Carver

      #8
      @ Phil,

      I have just made this test - perhaps I am mistaken but it was possible to create an active link in a comment. If not, please inform.

      1) Coppermine Photo Gallery 1.4.23
      2) Classic theme (so it should run from themes.inc.php) no influences from anything other than SEF url and LightBox plugins. My plugin also removed. Also used clean copy of db_input.php (removing captcha mod.)
      3) Enter comment text such as www.coppermine-gallery.net - DO NOT USE BBCODE - just type www.....
      4) Text becomes clickable link

      This was touched on in this thread's exchange
      Quote from: Graham66 on April 28, 2009, 02:38:47 PM
      Yes, I just tried on your site, and I can leave a live link as a comment.  All I did was type www.google.com as my comment, and this was converted into a live link (I deleted the comment as requested).

      Graham

      That thread is where I got the idea for using the same function built into Coppermine. It is still there (the function, that is)

      (edited for clarity)
      The code in themes.inc.php is
      $comment_body = make_clickable($row['msg_body']);

      make_clickable is in functions.inc.php

      Again - this does not use bbcode.

      Joachim Müller

      I already told you that it's irrelevant how the link was generated. Do not allow your visitors to create links in one way or the other. The comments should indeed not be piped through make_clickable, that's true.

      Joe Carver

      OK, a warning has now been posted to the announcement. No further updates will be made.

      [off topic] I now get the impression that comments should be turned off and/or that themes.inc.php should get
          a touch of modification until the next release unless there is a better alternative.

      Quote from: Joachim Müller on June 18, 2009, 09:22:39 AM
      The comments should indeed not be piped through make_clickable, that's true.

      [/off topic]

      Joachim Müller

      Indeed: comments should be turned off.

      Joe Carver

      #12
      Release of Version 1.3
      Maintenance - Security Release

        Changes in this version
        • Add filter for words that are specific to Coppermine files/actions
        • "delete", "edit", etc. are stripped from hyperlink, making it harmless
        • Re-package, re-name to Coppermine plugin standards


        Version 1.3 now attached to original post.