| Author |
Message |
Camber
New Member
Joined: Apr 02, 2006
Posts: 13
|
 Posted:
Wed Jul 26, 2006 12:14 pm |
|
I am not certain where to post this.
I have a photo gallery on my website that allows users to upload their own images. I think either sentinet or the chatserv patches comment out apostrophe in the filenames. When the users uploads a file such as Tom'sFamily.jpg the file ends up looking like Tom/'sFamily.jpg which the appears to be a directory with a filename.
Is there a way to filer punctuation in file uploads differently or a way to return an error to a user trying to upload an image with punctuation?
Thank you for any help or advice anyone may have in dealing with this. |
| |
|
|
|
hitwalker
Sells PC To Pay For Divorce
Joined:
Posts: 5661
|
| Posted:
Wed Jul 26, 2006 2:34 pm |
|
no not realy,but every situation is different,that also goes for photo albums..
Maybe simple striplashes would do the trick, but also magic-quotes can be causing this.. |
| |
|
|
|
|
fkelly
Former Moderator in Good Standing
Joined: Aug 30, 2005
Posts: 3312
Location: near Albany NY
|
| Posted:
Wed Jul 26, 2006 3:23 pm |
|
I haven't tested this but wouldn't the PHP function stripslashes work to remove the slash for presentation of the file name to a user or in a listing? Then just use the addslashes function to compare to the "real" file name? |
| |
|
|
|
gregexp
The Mouse Is Extension Of Arm
Joined: Feb 21, 2006
Posts: 1497
Location: In front of a screen....HELP! lol
|
| Posted:
Wed Jul 26, 2006 4:28 pm |
|
Weird thing is, I have seen this on more then one occasion but most of the time, PHP adds a \ and not a /.
I also think addslashes does this as well. |
_________________
For those who stand shall NEVER fall and those who fall shall RISE once more!! |
|
  
  |
|
fkelly
|
| Posted:
Wed Jul 26, 2006 5:34 pm |
|
Yeah, I suppose you are right Darklord. I guess it would be helpful to know what Photo Gallery software this is. I am using Gallery 2.x and have over 1000 images and haven't experienced this problem. (2.x is shorthand for "I don't remember the exact release level"). |
| |
|
|
|
|
hitwalker
|
| Posted:
Wed Jul 26, 2006 5:45 pm |
|
well i never had such problems,nor will i ever have them.
2 times i saw this at other peoples websites and both times it was the magic-quotes,but ill guess we know more untill Camber comes online and replies... |
| |
|
|
|
|
Camber
|
| Posted:
Wed Jul 26, 2006 7:34 pm |
|
Thank you for the posts.
I am using phpnuke 7.9 and the photo gallery is version 1.0 written by Francisco Burzi. Testing this on an unpatched un secured install of nuke does not seem to have this issue.
I also have a video gallery on my website and after a quick test it does the exact same thing when uploading a file with an apostrophe in it. I know this is a comment string to block SQL injections but there must be some way to filter or block a file name from being entered for uploaded before this forward slash can be introduced.
I would really appreciate any help or insight anyone could provide. I would not say I am a total newbie but far from accomplished. |
| |
|
|
|
|
hitwalker
|
| Posted:
Thu Jul 27, 2006 7:13 am |
|
ah ...fb's gallery
that explains a few...
but it clearly says...
| Quote: | HTML code is NOT allowed here and will be automaticaly removed
|
and fb uses function filter.
Code:
function filter($what, $strip="", $save="", $type="") {
if ($strip == "nohtml") {
$what = check_html($what, $strip);
$what = htmlentities(trim($what), ENT_QUOTES);
// If the variable $what doesn't comes from a preview screen should be converted
if ($type != "preview" AND $save != 1) {
$what = html_entity_decode($what, ENT_QUOTES);
}
}
if ($save == 1) {
$what = check_words($what);
$what = check_html($what, $strip);
$what = addslashes($what);
} else {
$what = stripslashes(FixQuotes($what));
$what = check_words($what);
$what = check_html($what, $strip);
}
return($what);
}
|
so in theory....if you take out the filer functions in the photo album index.php it should allow the upload and use of images such as Tom'sFamily.jpg 
upload part....
Code:
if (isset($upload)) {
$row = $db->sql_fetchrow($db->sql_query("SELECT * FROM ".$prefix."_gallery_config WHERE id='1'"));
if ($row[gallery_type] == "private" AND !is_admin($admin)) {
$title = _UPLOADERROR;
$content = "<br><center>"._NOTADMINUPLOAD."</center>";
include("header.php");
title("$sitename: "._PHOTOGALLERY."");
OpenTable();
content($title, $content);
CloseTable();
include("footer.php");
die();
}
$title = filter($title, "nohtml", 1);
$up_des = filter($description, "nohtml", 1);
if (!is_user($user)){
$title = _UPLOADERROR;
$content = "<br><center>"._NOTREGUSERUPLOAD."</center>";
|
|
| |
|
|
|
|
Camber
|
| Posted:
Thu Jul 27, 2006 10:30 am |
|
Hitwalker,
Thank you for the insightful and helpful reply! I understand why FB uses the filter function and I would prefer to keep it in the photo gallery. Do you think there is a way to strip out the apostrophes or other punctuation before it hits the filter?
I will test out the filter removal suggestion on my beta site in a bit and let you know if that works in the interim. I just do not want to leave the html gap in the photo gallery or the video gallery.
Thank you again for heling me with this. |
| |
|
|
|
|
hitwalker
|
| Posted:
Thu Jul 27, 2006 11:13 am |
|
well i have no idea what the results in the security would be if you edit it...
you can try to strip out the function in the album index.php,i think its called 4 or 5 times... |
| |
|
|
|
|
Camber
|
| Posted:
Thu Jul 27, 2006 5:42 pm |
|
Again thank you for your suggestions Hitwalker.
I ran a few expiraments and I am concerned that disabling the stripping out the apostrophes would not be a wise idea. I think what I need to do is find a way to filter the file name before it gets put into the DB and just have an error for the user saying that the file name contains punctuation that cannot be uploaded. Let the user alter the file name to fit the requirement.
That seems like a bit of a modification and I am not certain where to turn for a solution do you have any ideas or recommendations? |
| |
|
|
|
|
hitwalker
|
| Posted:
Thu Jul 27, 2006 6:06 pm |
|
well i just had a look and doubt if its even possible...or that simple...
dont forget that most photo albums will reject these images with names as tom'sdinner.jpg
you should considder accepting it as it is safer....and put a nice notice/warning only to upload images with a normal name..
but someone might see an opening coding around it,so you could put this in the hireing forum stuff...
but like i said...i recommend to leave it as it is.. |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
