Comments Comments
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Comments

Started by haghorst, March 21, 2006, 10:35:26 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

haghorst

Hi,

I have Coppermine Version 1.3.1
And i have also installed version 1.4.4

I saw by version 1.4.4 that you can give comment by the photo's without loggin in.
There is a box with Guest in the bottom.
I want this also on my 1.3.1 version without the risk I lose my photo hits and the comments that are now at the photo's.

Must is make a change in the index.php or something?
I don't know what to do  ???

If you can help me,
Thanks

Joachim Müller

you mustn't use cpg1.3.1, it contains security flaws. Update at least to cpg1.3.5.
Enable anonymous comments on coppermine's groups page.

haghorst

Sow this is what i must do:

Instructions for manual fix:
In init.inc.php:

Replace
Code:
$HTML_SUBST = array('"' => '&quot;', '<' => '&lt;', '>' => '&gt;');

With
Code:
$HTML_SUBST = array('&' => '&amp;', '"' => '&quot;', '<' => '&lt;', '>' => '&gt;', '%26' => '&amp;', '%22' => '&quot;', '%3C' => '&lt;', '%3E' => '&gt;');

Replace
Code:
if (is_array($HTTP_GET_VARS)) {
        foreach ($HTTP_GET_VARS as $key => $value) {
            $HTTP_GET_VARS[$key] = strtr(stripslashes($value), $HTML_SUBST);
            if (isset($$key)) unset($$key);
        }
    }

with
Code:
if (is_array($HTTP_GET_VARS)) {
        foreach ($HTTP_GET_VARS as $key => $value) {
            unset($HTTP_GET_VARS[$key]);
            $HTTP_GET_VARS[strtr(stripslashes($key), $HTML_SUBST)] = strtr(stripslashes($value), $HTML_SUBST);
            if (isset($$key)) unset($$key);
        }
    }

Add
Code:
/**
     * Sanitize $_GET also, as we have used it in many places
     */
    if (is_array($_GET)) {
        foreach ($_GET as $key => $value) {
            unset($_GET[$key]);
            $_GET[strtr(stripslashes($key), $HTML_SUBST)] = strtr(stripslashes($value), $HTML_SUBST);
            if (isset($$key)) unset($$key);
        }
    }

after
Code:
if (is_array($HTTP_GET_VARS)) {
        foreach ($HTTP_GET_VARS as $key => $value) {
            unset($HTTP_GET_VARS[$key]);
            $HTTP_GET_VARS[strtr(stripslashes($key), $HTML_SUBST)] = strtr(stripslashes($value), $HTML_SUBST);
            if (isset($$key)) unset($$key);
        }
    }


Joachim Müller

who said so? How is this related to your issue? We have a "one issue per thread" policy you agreed to respect when signing up.

haghorst

OKay,

My problem is only the comments.
I want a box in the bottom with: Guest.
So you don't have to log in.

But i don't know how I must do that.
So you said I must upgrade it to version 1.3.5.
And I don't know how I have to do that.

Maybe this is clearer?

Greats,
Ruud ;) :)


haghorst

Nobody...
I realy don't know how to do it  ???


haghorst

You are my hero  :-* ghehe
Tnx I think I can make it  ;)