vb.org Archive
Page 32 of 49 « First 223031 32 333442 Last »
Show 40 post(s) from this thread on one page

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin 3.5 Add-ons (https://vborg.vbsupport.ru/forumdisplay.php?f=113)
-   -   Extended Signature Limits (https://vborg.vbsupport.ru/showthread.php?t=95523)

Andreas 12-14-2005 06:04 PM
Such a phrase is not being used by this Hack.

gonkowonko 12-14-2005 06:11 PM
done now had a duplicate phrase called the same thing

monktbd 12-15-2005 06:38 AM
Checking the image size for attachment from the 3.5.2 still doesn't work on the beta site.
see also :
this post and this.


getimagesize() fails for attachments.
It doesn't return anything (or more specific it won't pass the ($imginfo = getimagesize($sig) ) if condition.
It doesn't fail for attachments of the live site though (used on the beta site).
parsing of the URLs is fine, so $sig contains the correct URL for the images/attachments.

Both sites are on the same server, on different subdomains.
Has anyone any clues whether this can be a vbulletin issue (wrong settings somewhere) or a server setup problem?

EasyTarget 12-15-2005 03:27 PM
sounds like you're in my boat, your host turns off the allow_url_fopen function for security reasons and supports cURL instead.

vBulletin has said they plan on integrating cURL in the future and Andreas has said this issue doesn't effect him so he doesn't plan on supporting cURL.

Here's a message about it from my webhost. (dreamhost)
Quote:
If you are currently using this (allow_url_fopen) functionality in your PHP code, there is a more powerful and flexible option available. PHP provides excellent support for curl library and its associated functions.

One of our own users has written a short article describing how it is
used and that can be found
here:
http://blog.unitedheroes.net/archives/p/1630/

The official PHP documentation for it is here:
http://us2.php.net/manual/en/ref.curl.php

This change will significantly improve the security of PHP-based applications running on our servers

mkdevo 12-16-2005 11:11 PM
so does this not work with existing sigs, only when modifying?

Andreas 12-16-2005 11:42 PM
Quote:
This change will significantly improve the security of PHP-based applications running on our servers
That's nonsense ;)
Future PHP versions will not support the current behaviour of allow_url_fopen due to its misunderstanding by most webhosts.

EasyTarget 12-17-2005 03:37 AM
well the blog provided some good examples of how its a security risk, add how cURL has some better functions.

here's the last post
Quote:
You?re quite right that (used properly) fopen isn?t a security risk. It simply takes data and puts controls on it to allow you to perform various stream related functions, no execution required.

Where it gets complicated is not with the individual fopen call, but the method that PHP uses to implement that function. Internally PHP has some very clever routines that treat any data stream the same way. The problem is that in order to do this, all streams have to behave in the same way. This means that any stream based function has to behave according to that model.

Where this gets really ugly is the fact that internally, the operations to read a data stream for include() are fundementally the same as the operations for reading a data stream for fopen(). One is benign, the other decidedly not.

The simplest, fastest, and most effective fix is to disallow URLs from behaving like streams. While this does inconvenience clueful people who wish to use fopen() functions for urls, it also means that Joe Notanerd won?t accidentally become a proxy for a cross site scripting attack because he never secured his fpassthru() calls.

The curl functions are there pretty much to isolate the web stream functions from normal file operations, plus, they?ve got a number of features that make them more appealing than standard file operations, and that?s to be expected. The mediums are not the same.

monktbd 12-17-2005 04:06 AM
Quote:
Originally Posted by EasyTarget
sounds like you're in my boat, your host turns off the allow_url_fopen function for security reasons and supports cURL instead.

vBulletin has said they plan on integrating cURL in the future and Andreas has said this issue doesn't effect him so he doesn't plan on supporting cURL.

Here's a message about it from my webhost. (dreamhost)
Thanks but that is not the problem.

allow_url_fopen is turned on, since it works with checking attachments from a VB 3.0.x install (=the current live site) but not for checking attachments for the 3.5.2 install where the sig image limiter is running on (= the current beta site).
Both installs use the same server on different subdomains.
Unless there is a switch/option somewhere in Apache/PHP/MySql that I missed both sites run on the same configuration.

dvn 12-18-2005 02:22 AM
I'm running 3.5.0 and am having trouble with people who were outside the limits *before* the hack was installed. in which case they aren't able to edit their signatures in such a way to be within the limits. my font limit is 14, they've got 16 in their sig, they aren't allowed to change the font size, instead getting a message 'your font is too large'.

is the hack incompatible with 3.5.0?

PennylessZ28 12-22-2005 04:56 PM
bitfield.xml dont' work


All times are GMT. The time now is 03:55 PM.
Page 32 of 49 « First 223031 32 333442 Last »
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.02077 seconds
  • Memory Usage 1,746KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (4)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (4)pagenav_pagelink
  • (2)pagenav_pagelinkrel
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (10)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • pagenav_page
  • pagenav_complete
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete