[cpg1.4.x]: Download a Zipped Album With Basic Security - Page 2 [cpg1.4.x]: Download a Zipped Album With Basic Security - Page 2
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

[cpg1.4.x]: Download a Zipped Album With Basic Security

Started by erostew, October 25, 2007, 08:53:17 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

erostew

#20
Quote from: VladiczeK on January 28, 2008, 03:09:39 PM
Yeah, this mod to mod work for me, thx2all!
Well cool!
Apparently in some configurations that line is needed. Strange.

I'll add it to the archive if it tests out okay on my installation. Thanks again Nibbler.

Nibbler

It's not at all strange. Your code relies on the php setting register_globals being enabled. It is usually not enabled for security reasons.

erostew

Quote from: Nibbler on January 28, 2008, 07:40:59 PM
It's not at all strange. Your code relies on the php setting register_globals being enabled. It is usually not enabled for security reasons.

You're right again, but that isn't "my" code. I simply adapted what was already present in the script for that section of the security check. I'm only a novice at php.

I do find it strange that nobody reported trouble with this before now in either this script or the original that it was built on. It makes me think that register_globals isn't disabled as often as you would think. It also makes me wonder exactly why my hosting provider has set up all my servers in the last 5 years with it enabled. Maybe they prefer not having to be bothered by customers who have a hard time getting a script to run more than they worry about my data being safe.

Now I am going to have to spend a couple of days turning it off and then troubleshooting scripts that may no longer work.  :(

erostew

I have been quite open about not being a real coder and it has once again been proven.  :-[

However the excellent Nibbler has once again provided a valuable lesson. Thanks to VladiczeK also for reporting the issue.

The latest version has been uploaded to the first post and now should be compatible with a server where register_globals is turned off, as it should be.

Regards

williamgates


Just for download this file, I signed in here. But I found it won't works for me if I follow the instructions. I found out a new method that allows you not need to edit the theme.php everytime you change theme.

In my classic theme.php, there is just a small piece of code:
<?php
/*************************
  Coppermine Photo Gallery
  ************************
  Copyright (c) 2003-2008 Dev Team
  v1.1 originally written by Gregory DEMAR

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License version 3
  as published by the Free Software Foundation.
  
  ********************************************
  Coppermine version: 1.4.16
  $HeadURL: https://coppermine.svn.sourceforge.net/svnroot/coppermine/trunk/cpg1.4.x/themes/classic/theme.php $
  $Revision: 4233 $
  $Author: gaugau $
  $Date: 2008-02-02 09:23:58 +0100 (Sa, 02 Feb 2008) $
**********************************************/

// ------------------------------------------------------------------------- //
// This theme has all CORE items removed                                     //
// ------------------------------------------------------------------------- //
define('THEME_IS_XHTML10_TRANSITIONAL',1);

?>


I think it maybe the difference between the 1.4.16 and the verision the author of this post uses. I tried insert those code in this file, but it does not take effect. So I think that means CPG even not use this file to show a classic theme. I readed the document and found:
QuoteThere are now theme $template_ and theme_ function fallbacks which allow you to eliminate many un-modified templates or functions from the theme.php. You only need to modify the templates or functions that you want to act differently from the default "Classic" theme.
So I looked into the include folder, open the themes.inc.php, here I found the code which the instructions mentioned. Though the file reads:
Quote// Do not edit this file.                                      //
// If you need to customize your theme,                        //
// edit themes/yourtheme/theme.php instead !!!                 //
// Take a look at the sample theme (themes/sample/theme.php)   //
// to get an idea what to copy into your custom theme.         //
// Really, don't edit this file! We mean it!                   //
But I still did it, then it works. It works with every theme just once edit.

I am sorry for my poor English and subjective assertion. There might be a better way or a better explanation. If you found me any wrong, please let me know. Thanks.

erostew

#25
Quote from: williamgates on February 09, 2008, 10:29:16 AM
Just for download this file, I signed in here. But I found it won't works for me if I follow the instructions. I found out a new method that allows you not need to edit the theme.php everytime you change theme.


I haven't yet had a chance to install 1.4.16.
I will check things out as soon as I can. Thanks for the information.

I have updated my sandbox coppermine to 1.4.16 and have found no issues at all. Procedures for installing have not changed.

erostew

#26
Quote from: williamgates on February 09, 2008, 10:29:16 AM
Just for download this file, I signed in here. But I found it won't works for me if I follow the instructions. I found out a new method that allows you not need to edit the theme.php everytime you change theme.

In my classic theme.php, there is just a small piece of code:
<?php
/*************************
  Coppermine Photo Gallery
  ************************
  Copyright (c) 2003-2008 Dev Team
  v1.1 originally written by Gregory DEMAR

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License version 3
  as published by the Free Software Foundation.
  
  ********************************************
  Coppermine version: 1.4.16
  $HeadURL: https://coppermine.svn.sourceforge.net/svnroot/coppermine/trunk/cpg1.4.x/themes/classic/theme.php $
  $Revision: 4233 $
  $Author: gaugau $
  $Date: 2008-02-02 09:23:58 +0100 (Sa, 02 Feb 2008) $
**********************************************/

// ------------------------------------------------------------------------- //
// This theme has all CORE items removed                                     //
// ------------------------------------------------------------------------- //
define('THEME_IS_XHTML10_TRANSITIONAL',1);

?>


I think it maybe the difference between the 1.4.16 and the verision the author of this post uses. I tried insert those code in this file, but it does not take effect. So I think that means CPG even not use this file to show a classic theme. I readed the document and found:So I looked into the include folder, open the themes.inc.php, here I found the code which the instructions mentioned. Though the file reads:But I still did it, then it works. It works with every theme just once edit.

I am sorry for my poor English and subjective assertion. There might be a better way or a better explanation. If you found me any wrong, please let me know. Thanks.

OK I haven't yet upgraded to 1.4.16 but I compared the themes.inc.php and the theme.php from several themes with the same files for 1.4.14. There are zero code differences between the 2 versions.

This means that you probably did not follow the installation directions correctly.

Your themes.php for the classic theme should look like this if you have the mod installed correctly:
<?php
/*************************
  Coppermine Photo Gallery
  ************************
  Copyright (c) 2003-2008 Dev Team
  v1.1 originally written by Gregory DEMAR

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License version 3
  as published by the Free Software Foundation.
  
  ********************************************
  Coppermine version: 1.4.16
  $HeadURL: https://coppermine.svn.sourceforge.net/svnroot/coppermine/trunk/cpg1.4.x/themes/classic/theme.php $
  $Revision: 4233 $
  $Author: gaugau $
  $Date: 2008-02-02 09:23:58 +0100 (Sa, 02 Feb 2008) $
**********************************************/

// ------------------------------------------------------------------------- //
// This theme has all CORE items removed                                     //
// ------------------------------------------------------------------------- //
define('THEME_IS_XHTML10_TRANSITIONAL',1);

function 
theme_display_thumbnails(&$thumb_list$nbThumb$album_name$aid$cat$page$total_pages$sort_options$display_tabs$mode 'thumb')
{
    global 
$CONFIG;
    global 
$template_thumb_view_title_row,$template_fav_thumb_view_title_row$lang_thumb_view$template_tab_display$template_thumbnail_view$lang_album_list;

    static 
$header '';
    static 
$thumb_cell '';
    static 
$empty_cell '';
    static 
$row_separator '';
    static 
$footer '';
    static 
$tabs '';
    static 
$spacer '';

    if (
$header == '') {
        
$thumb_cell template_extract_block($template_thumbnail_view'thumb_cell');
        
$tabs template_extract_block($template_thumbnail_view'tabs');
        
$header template_extract_block($template_thumbnail_view'header');
        
$empty_cell template_extract_block($template_thumbnail_view'empty_cell');
        
$row_separator template_extract_block($template_thumbnail_view'row_separator');
        
$footer template_extract_block($template_thumbnail_view'footer');
        
$spacer template_extract_block($template_thumbnail_view'spacer');
    }

    
$cat_link is_numeric($aid) ? '' '&amp;cat=' $cat;
    
$uid_link = (isset($_GET['uid']) && is_numeric($_GET['uid'])) ? '&amp;uid=' $_GET['uid'] : '';

    
$theme_thumb_tab_tmpl $template_tab_display;

    if (
$mode == 'thumb') {
        
$theme_thumb_tab_tmpl['left_text'] = strtr($theme_thumb_tab_tmpl['left_text'], array('{LEFT_TEXT}' => $aid == 'lastalb' $lang_album_list['album_on_page'] : $lang_thumb_view['pic_on_page']));
        
$theme_thumb_tab_tmpl['inactive_tab'] = strtr($theme_thumb_tab_tmpl['inactive_tab'], array('{LINK}' => 'thumbnails.php?album=' $aid $cat_link $uid_link '&amp;page=%d'));
        
$theme_thumb_tab_tmpl['inactive_next_tab'] = strtr($theme_thumb_tab_tmpl['inactive_next_tab'], array('{LINK}' => 'thumbnails.php?album=' $aid $cat_link $uid_link '&amp;page=%d'));
        
$theme_thumb_tab_tmpl['inactive_prev_tab'] = strtr($theme_thumb_tab_tmpl['inactive_prev_tab'], array('{LINK}' => 'thumbnails.php?album=' $aid $cat_link $uid_link '&amp;page=%d'));
    } else {
        
$theme_thumb_tab_tmpl['left_text'] = strtr($theme_thumb_tab_tmpl['left_text'], array('{LEFT_TEXT}' => $lang_thumb_view['user_on_page']));
        
$theme_thumb_tab_tmpl['inactive_tab'] = strtr($theme_thumb_tab_tmpl['inactive_tab'], array('{LINK}' => 'index.php?cat=' $cat '&amp;page=%d'));
        
$theme_thumb_tab_tmpl['inactive_next_tab'] = strtr($theme_thumb_tab_tmpl['inactive_next_tab'], array('{LINK}' => 'index.php?cat=' $cat '&amp;page=%d'));
        
$theme_thumb_tab_tmpl['inactive_prev_tab'] = strtr($theme_thumb_tab_tmpl['inactive_prev_tab'], array('{LINK}' => 'index.php?cat=' $cat '&amp;page=%d'));
    }

    
$thumbcols $CONFIG['thumbcols'];
    
$cell_width ceil(100 $CONFIG['thumbcols']) . '%';

    
$tabs_html $display_tabs create_tabs($nbThumb$page$total_pages$theme_thumb_tab_tmpl) : '';
    
// The sort order options are not available for meta albums
    
if ($sort_options) {
        
$param = array('{ALBUM_NAME}' => $album_name,
            
'{AID}' => $aid,
            
'{PAGE}' => $page,
            
'{NAME}' => $lang_thumb_view['name'],
            
'{TITLE}' => $lang_thumb_view['title'],
            
'{DATE}' => $lang_thumb_view['date'],
            
'{SORT_TA}' => $lang_thumb_view['sort_ta'],
            
'{SORT_TD}' => $lang_thumb_view['sort_td'],
            
'{SORT_NA}' => $lang_thumb_view['sort_na'],
            
'{SORT_ND}' => $lang_thumb_view['sort_nd'],
            
'{SORT_DA}' => $lang_thumb_view['sort_da'],
            
'{SORT_DD}' => $lang_thumb_view['sort_dd'],
            
'{POSITION}' => $lang_thumb_view['position'],
            
'{SORT_PA}' => $lang_thumb_view['sort_pa'],
            
'{SORT_PD}' => $lang_thumb_view['sort_pd'],
            );
        
// MOD - begin
$param['{ALBUM_NAME}'] .= '&nbsp;<a href="zip.php?aid=' $aid '" title="Download album as *zip archive">[ Download Album ]</a>';
// MOD - end
        
$title template_eval($template_thumb_view_title_row$param);
    } else if (
$aid == 'favpics' && $CONFIG['enable_zipdownload'] == 1) { //Lots of stuff can be added here later
       
$param = array('{ALBUM_NAME}' => $album_name,
                             
'{DOWNLOAD_ZIP}'=>$lang_thumb_view['download_zip']
                               );
       
$title template_eval($template_fav_thumb_view_title_row$param);
    }else{
        
$title $album_name;
    }


    if (
$mode == 'thumb') {
        
starttable('100%'$title$thumbcols);
    } else {
        
starttable('100%');
    }

    echo 
$header;

    
$i 0;
    foreach(
$thumb_list as $thumb) {
        
$i++;
        if (
$mode == 'thumb') {
            if (
$aid == 'lastalb') {
                
$params = array('{CELL_WIDTH}' => $cell_width,
                    
'{LINK_TGT}' => "thumbnails.php?album={$thumb['aid']}",
                    
'{THUMB}' => $thumb['image'],
                    
'{CAPTION}' => $thumb['caption'],
                    
'{ADMIN_MENU}' => $thumb['admin_menu']
                    );
            } else {
                
$params = array('{CELL_WIDTH}' => $cell_width,
                    
'{LINK_TGT}' => "displayimage.php?album=$aid$cat_link&amp;pos={$thumb['pos']}$uid_link",
                    
'{THUMB}' => $thumb['image'],
                    
'{CAPTION}' => $thumb['caption'],
                    
'{ADMIN_MENU}' => $thumb['admin_menu']
                    );
            }
        } else {
            
$params = array('{CELL_WIDTH}' => $cell_width,
                
'{LINK_TGT}' => "index.php?cat={$thumb['cat']}",
                
'{THUMB}' => $thumb['image'],
                
'{CAPTION}' => $thumb['caption'],
                
'{ADMIN_MENU}' => ''
                
);
        }
        echo 
template_eval($thumb_cell$params);

        if (((
$i $thumbcols) == 0) && ($i count($thumb_list))) {
            echo 
$row_separator;
        }
    }
    for (;(
$i $thumbcols); $i++) {
        echo 
$empty_cell;
    }
    echo 
$footer;

    if (
$display_tabs) {
        
$params = array('{THUMB_COLS}' => $thumbcols,
            
'{TABS}' => $tabs_html
            
);
        echo 
template_eval($tabs$params);
    }

    
endtable();
    echo 
$spacer;
}

?>

I will install 1.4.16 in my sandbox to make sure, but I am 100% certain that there have been no changes to the way themes work form 1.4.14 to 1.4.16.
I have installed 1.4.16 and have confirmed that no changes have been made to the way themes work since 1.4.14. You can in fact skip uploading the new themes folder and leave your already modified theme/themes in place if you absolutely can not take the time to cut and paste the mod into the new files. But I do not recommend that. You should always keep all files that are included in the archive updated to the newest version.

themes.inc.php is the DEFAULT code for all themes and should NEVER be edited or changed. Changes made in the theme.php of your selected theme OVERRIDE what is in themes.inc.php. So only code which is DIFFERENT from the default needs to be in the theme.php. That is why you do the modifications in that file and NOT themes.inc.php.

Regards

erostew

Ok so I updated my CPG from 1.4.14 to 1.4.16 and have confirmed that the mod still works. While I was at it I took the time to try the mod with CPG 1.5 and have found that it works just fine. My installed 1.5 is not the latest build but, if no big changes are made in the theming between now and the release of 1.5, you should be able to use the mod well into the future.

Now I just have to find the time to study how plugins work in CPG.

Joachim Müller

Good and thorough approach, you're doing a fine job making sure that your mod works as expected on all coppermine versions. Keep up the good work.

williamgates


Thank you very much for checking that, I will check my CPG again.
You did a very good job, thanks. :)

erostew

Quote from: Joachim Müller on February 10, 2008, 12:27:49 AM
Good and thorough approach, you're doing a fine job making sure that your mod works as expected on all coppermine versions. Keep up the good work.
Thanks for the encouragement.


erostew

Quote from: williamgates on February 10, 2008, 05:23:02 AM
Thank you very much for checking that, I will check my CPG again.
You did a very good job, thanks. :)
No problem.

opulence

Small request: any way to have this featured enabled/disabled by group?

I allow all users, registered and guests to view the albums on the site, but restrict full-size and intermediate access to pictures to guests, only registered users can view.

Unfortunately though, in it's current state, this mod will allow unregistered users to download zips of albums

erostew

Quote from: opulence on March 21, 2008, 11:27:21 PM
Small request: any way to have this featured enabled/disabled by group?

I allow all users, registered and guests to view the albums on the site, but restrict full-size and intermediate access to pictures to guests, only registered users can view.

Unfortunately though, in it's current state, this mod will allow unregistered users to download zips of albums
Read http://forum.coppermine-gallery.net/index.php/topic,47820.msg228822.html#msg228822 for info about user groups. It's the 3rd post in this thread.
Download enabling is done on a per album basis depending on group settings of the album. It doesn't work on a per user basis. If you want it to be based on the user rather than the album I'm afraid you will need to do that yourself.

Regards

opulence

Quote from: erostew on March 22, 2008, 12:37:27 AM
Read http://forum.coppermine-gallery.net/index.php/topic,47820.msg228822.html#msg228822 for info about user groups. It's the 3rd post in this thread.
Download enabling is done on a per album basis depending on group settings of the album. It doesn't work on a per user basis. If you want it to be based on the user rather than the album I'm afraid you will need to do that yourself.

Regards

I didn't think that would work, but I tried it anyway (it didn't work, it gave me the message "You don't have permission to do that!" as admin, as registered user, and as guest.

I'm not sure if you understood my request and the settings on my site.

I allow ALL users to 'view' an album, and only restrict access to intermediate, and full-size pictures, with use of another mod/plugin.

So instead of using the privledges based off of albums (which are open to anyone) I need to set seperate permissions for the zip download links themselves.  But okay, I'll try to figure out something myself.

erostew

#35
Quote from: opulence on March 22, 2008, 04:53:25 PM
I didn't think that would work, but I tried it anyway (it didn't work, it gave me the message "You don't have permission to do that!" as admin, as registered user, and as guest.

I'm not sure if you understood my request and the settings on my site.

I allow ALL users to 'view' an album, and only restrict access to intermediate, and full-size pictures, with use of another mod/plugin.

So instead of using the privledges based off of albums (which are open to anyone) I need to set seperate permissions for the zip download links themselves.  But okay, I'll try to figure out something myself.

I understood your request. It just isn't possible for me to fulfill it at this time. This is a quick mod, not a plugin. Checking the level of an album is quick and fairly easy. Checking if a user is logged in and what group he belongs to and then checking an album to see if it belongs to the appropriate group is much more complicated. I simply don't have time to do it right now. Which is why I said you would need to do it yourself.

If you had read the very first post completely you would have seen:
QuoteThe best way to handle security would be to check if the user was logged in and then check to see if he or his user group was allowed access to the album. However that is a lot more complex and not really something suitable for a quick hack/mod.

Also Sabbia made the same request as you and I replied:
QuoteRead post 3 in this thread for some hints on modifying the user groups that can access the zip function. If I ever get the time to turn the mod into a plugin I will probably add the functionality you request. But it probably won't be anytime soon I'm afraid. I don't have that much free time to work on it. And I still have to learn a lot about coppermine and plugins before attempting it.

The modification suggested for registered user albums only will work. However you need to be using a suitable permission level for it to work with your albums. If you allow everyone to VIEW an album then your albums will obviously have a permission of "0". So changing the code to work with albums set to "2" (registered users only) will not work for you. As I said in my first reply to you:
QuoteDownload enabling is done on a per album basis depending on group settings of the album. It doesn't work on a per user basis.

webmonarch

This is probably one of the stupidest questions ever, but after implementing this and attemptng to click on the "Download Album" link, I'm getting a 404 error. All files are present and accounted for as far as I can tell. I'm not a total noob, but I honestly can't see how I'd be getting 404 errors as opposed to some other type of errors. Any guidance much appreciated.

Nibbler

Did you upload zip.php? Post a link to your gallery.

erostew

Quote from: webmonarch on June 19, 2008, 02:35:35 AM
This is probably one of the stupidest questions ever, but after implementing this and attemptng to click on the "Download Album" link, I'm getting a 404 error. All files are present and accounted for as far as I can tell. I'm not a total noob, but I honestly can't see how I'd be getting 404 errors as opposed to some other type of errors. Any guidance much appreciated.
If your webserver is configured normally (showing the proper error number) the only explanation is that zip.php is in the wrong place or not uploaded. Any other problem would generate a php error, not a 404.

Make sure that zip.php is in the root directory of coppermine, not the root directory of your site.

wperry1

Thanks a million!  This is exactly what I was looking for.

WP