From 1dd0dfc5911444522ac38f74bfc919fa3b5efba8 Mon Sep 17 00:00:00 2001 From: im-mi Date: Sat, 24 Sep 2016 14:03:14 -0400 Subject: [PATCH 1/5] Read ICO header with proper sign Fixes width/height being read incorrectly when >= 128 --- ext/handle_ico/main.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ext/handle_ico/main.php b/ext/handle_ico/main.php index 4e53c249..b615a59d 100644 --- a/ext/handle_ico/main.php +++ b/ext/handle_ico/main.php @@ -67,9 +67,9 @@ class IcoFileHandler extends Extension { $image = new Image(); $fp = fopen($filename, "r"); - $header = unpack("snull/stype/scount", fread($fp, 6)); + $header = unpack("Snull/Stype/Scount", fread($fp, 6)); - $subheader = unpack("cwidth/cheight/ccolours/cnull/splanes/sbpp/lsize/loffset", fread($fp, 16)); + $subheader = unpack("Cwidth/Cheight/Ccolours/Cnull/Splanes/Sbpp/Lsize/loffset", fread($fp, 16)); fclose($fp); $width = $subheader['width']; @@ -94,7 +94,7 @@ class IcoFileHandler extends Extension { private function check_contents($file) { if(!file_exists($file)) return false; $fp = fopen($file, "r"); - $header = unpack("snull/stype/scount", fread($fp, 6)); + $header = unpack("Snull/Stype/Scount", fread($fp, 6)); fclose($fp); return ($header['null'] == 0 && ($header['type'] == 0 || $header['type'] == 1)); } From 05da5d0b4f14e45b0f19165483f4d2014dcdcaca Mon Sep 17 00:00:00 2001 From: im-mi Date: Sun, 25 Sep 2016 15:25:12 -0400 Subject: [PATCH 2/5] Use Image->get_image_link() on ICO files --- ext/handle_ico/theme.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/handle_ico/theme.php b/ext/handle_ico/theme.php index aa092709..9f68cc53 100644 --- a/ext/handle_ico/theme.php +++ b/ext/handle_ico/theme.php @@ -2,7 +2,7 @@ class IcoFileHandlerTheme extends Themelet { public function display_image(Page $page, Image $image) { - $ilink = make_link("get_ico/{$image->id}/{$image->id}.ico"); + $ilink = $image->get_image_link(); $html = " "; From d4fda00dd993bbc71b9db73139d66916da68b2fe Mon Sep 17 00:00:00 2001 From: im-mi Date: Sun, 25 Sep 2016 14:24:20 -0400 Subject: [PATCH 3/5] Check for existence of POST var tag_edit__owner before using it --- ext/tag_edit/main.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/tag_edit/main.php b/ext/tag_edit/main.php index 508e18dc..2f270fd0 100644 --- a/ext/tag_edit/main.php +++ b/ext/tag_edit/main.php @@ -214,7 +214,7 @@ class TagEdit extends Extension { public function onImageInfoSet(ImageInfoSetEvent $event) { global $user; - if($user->can("edit_image_owner")) { + if($user->can("edit_image_owner") && isset($_POST['tag_edit__owner'])) { $owner = User::by_name($_POST['tag_edit__owner']); if ($owner instanceof User) { send_event(new OwnerSetEvent($event->image, $owner)); From e6dd1b492cba7a33b20e402e5889d7f4ae483897 Mon Sep 17 00:00:00 2001 From: im-mi Date: Sun, 25 Sep 2016 15:17:29 -0400 Subject: [PATCH 4/5] Sanitize ratings --- ext/rating/main.php | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/ext/rating/main.php b/ext/rating/main.php index 22b331d8..17fa8b0d 100644 --- a/ext/rating/main.php +++ b/ext/rating/main.php @@ -110,7 +110,10 @@ class Ratings extends Extension { public function onImageInfoSet(ImageInfoSetEvent $event) { if($this->can_rate() && isset($_POST["rating"])) { - send_event(new RatingSetEvent($event->image, $_POST['rating'])); + $rating = $_POST["rating"]; + if (Ratings::rating_is_valid($rating)) { + send_event(new RatingSetEvent($event->image, $rating)); + } } } @@ -211,6 +214,22 @@ class Ratings extends Extension { } } + /** + * @param string $rating + * @return bool + */ + public static function rating_is_valid(/*string*/ $rating) { + switch($rating) { + case "s": + case "q": + case "e": + case "u": + return true; + default: + return false; + } + } + /** * FIXME: this is a bit ugly and guessey, should have proper options * From 8805f0dd182efdb107b1e717a03cb6d2dc04d598 Mon Sep 17 00:00:00 2001 From: im-mi Date: Mon, 26 Sep 2016 11:15:08 -0400 Subject: [PATCH 5/5] Remove get_ico page It's no longer needed because ICO now uses Image->get_image_link() --- .htaccess | 1 + ext/handle_ico/main.php | 14 -------------- ext/handle_ico/test.php | 1 - 3 files changed, 1 insertion(+), 15 deletions(-) diff --git a/.htaccess b/.htaccess index 8e33b6f3..30a33a42 100644 --- a/.htaccess +++ b/.htaccess @@ -53,6 +53,7 @@ AddType audio/ogg oga ogg opus AddType image/jpeg jpg jpeg AddType image/bmp bmp AddType image/svg+xml svg svgz +AddType image/x-icon ico ani cur AddType image/webp webp AddType video/mp4 f4v f4p m4v mp4 AddType video/ogg ogv diff --git a/ext/handle_ico/main.php b/ext/handle_ico/main.php index b615a59d..beda9596 100644 --- a/ext/handle_ico/main.php +++ b/ext/handle_ico/main.php @@ -35,20 +35,6 @@ class IcoFileHandler extends Extension { } } - public function onPageRequest(PageRequestEvent $event) { - global $page; - if($event->page_matches("get_ico")) { - $id = int_escape($event->get_arg(0)); - $image = Image::by_id($id); - $hash = $image->hash; - $ha = substr($hash, 0, 2); - - $page->set_type("image/x-icon"); - $page->set_mode("data"); - $page->set_data(file_get_contents("images/$ha/$hash")); - } - } - /** * @param string $ext * @return bool diff --git a/ext/handle_ico/test.php b/ext/handle_ico/test.php index b019eed0..fa130100 100644 --- a/ext/handle_ico/test.php +++ b/ext/handle_ico/test.php @@ -4,7 +4,6 @@ class IcoHandlerTest extends ShimmiePHPUnitTestCase { $this->log_in_as_user(); $image_id = $this->post_image("lib/static/favicon.ico", "shimmie favicon"); $this->get_page("post/view/$image_id"); // test for no crash - $this->get_page("get_ico/$image_id"); // test for no crash # FIXME: test that the thumb works # FIXME: test that it gets displayed properly