Project

General

Profile

Bug #24140 » 16485_43_v2.patch

Administrator Admin, 2010-12-10 00:33

View differences:

typo3/sysext/cms/tslib/class.tslib_content.php (Arbeitskopie)
// imageFileLink:
if ($content==$string && @is_file($imageFile)) {
$params = '';
if ($conf['width']) {$params.='&width='.rawurlencode($conf['width']);}
if ($conf['height']) {$params.='&height='.rawurlencode($conf['height']);}
if ($conf['effects']) {$params.='&effects='.rawurlencode($conf['effects']);}
if ($conf['sample']) {$params.='&sample=1';}
if ($conf['alternativeTempPath']) {$params.='&alternativeTempPath='.rawurlencode($conf['alternativeTempPath']);}
$parameterNames = array('width', 'height', 'effects', 'alternativeTempPath', 'bodyTag', 'title', 'wrap');
$parameters = array();
// includes lines above in cache
$showPicContent = '
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
if (isset($conf['sample']) && $conf['sample']) {
$parameters['sample'] = 1;
}
<html>
<head>
<title>' . htmlspecialchars($conf['title'] ? $conf['title'] : 'Image') . '</title>
' . ($conf['title'] ? '' : '<meta name="robots" content="noindex,follow" />') . '
</head>
' . ($conf['bodyTag'] ? $conf['bodyTag'] : '<body>');
foreach ($parameterNames as $parameterName) {
if (isset($conf[$parameterName]) && $conf[$parameterName]) {
$parameters[$parameterName] = $conf[$parameterName];
}
}
$wrapParts = explode('|', $conf['wrap']);
$showPicContent .= trim($wrapParts[0]) . '###IMAGE###' . trim($wrapParts[1]);
$showPicContent .= '
</body>
</html>';
$contentHash = md5('showpic' . $showPicContent);
t3lib_pageSelect::storeHash($contentHash, $showPicContent, 'showpic');
$parametersEncoded = base64_encode(serialize($parameters));
$md5_value = md5(
$imageFile . '|' .
$conf['width'] . '|' .
$conf['height'] . '|' .
$conf['effects'] . '||||' .
$GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'] . '|');
implode(
'|',
array($imageFile, $parametersEncoded, $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'])
)
);
$params .= '&md5=' . $md5_value . '&contentHash=' . $contentHash;
$params = '&md5=' . $md5_value;
foreach (str_split($parametersEncoded, 64) as $index => $chunk) {
$params .= '&parameters[' . $index . ']=' . rawurlencode($chunk);
}
$url = $GLOBALS['TSFE']->absRefPrefix.'index.php?eID=tx_cms_showpic&file='.rawurlencode($imageFile).$params;
if ($conf['JSwindow.']['altUrl'] || $conf['JSwindow.']['altUrl.']) {
$altUrl = $this->stdWrap($conf['JSwindow.']['altUrl'], $conf['JSwindow.']['altUrl.']);
typo3/sysext/cms/tslib/showpic.php (Arbeitskopie)
var $title;
var $wrap;
var $md5;
var $contentHash;
/**
* @var string
*/
protected $parametersEncoded;
/**
* Init function, setting the input vars in the global space.
*
* @return void
......
function init() {
// Loading internal vars with the GET/POST parameters from outside:
$this->file = t3lib_div::_GP('file');
$this->width = t3lib_div::_GP('width');
$this->height = t3lib_div::_GP('height');
$this->sample = t3lib_div::_GP('sample');
$this->alternativeTempPath = t3lib_div::_GP('alternativeTempPath');
$this->effects = t3lib_div::_GP('effects');
$this->parametersEncoded = implode(t3lib_div::_GP('parameters'));
$this->frame = t3lib_div::_GP('frame');
$this->bodyTag = t3lib_div::_GP('bodyTag');
$this->title = t3lib_div::_GP('title');
$this->wrap = t3lib_div::_GP('wrap');
$this->md5 = t3lib_div::_GP('md5');
$this->contentHash = t3lib_div::_GP('contentHash');
// ***********************
// Check parameters
......
// Chech md5-checksum: If this md5-value does not match the one submitted, then we fail... (this is a kind of security that somebody don't just hit the script with a lot of different parameters
$md5_value = md5(
$this->file.'|'.
$this->width.'|'.
$this->height.'|'.
$this->effects.'|'.
$this->bodyTag.'|'.
$this->title.'|'.
$this->wrap.'|'.
$GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'].'|');
implode(
'|',
array($this->file, $this->parametersEncoded, $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'])
)
);
if ($md5_value!=$this->md5) {
die('Parameter Error: Wrong parameters sent.');
}
// Need to connect to database, because this is used (typo3temp_db_tracking, cached image dimensions).
$GLOBALS['TYPO3_DB']->sql_pconnect(TYPO3_db_host, TYPO3_db_username, TYPO3_db_password);
$GLOBALS['TYPO3_DB']->sql_select_db(TYPO3_db);
if (TYPO3_UseCachingFramework) {
$GLOBALS['typo3CacheManager'] = t3lib_div::makeInstance('t3lib_cache_Manager');
$GLOBALS['typo3CacheFactory'] = t3lib_div::makeInstance('t3lib_cache_Factory');
$GLOBALS['typo3CacheFactory']->setCacheManager($GLOBALS['typo3CacheManager']);
t3lib_cache::initPageCache();
t3lib_cache::initPageSectionCache();
t3lib_cache::initContentHashCache();
$parameters = unserialize(base64_decode($this->parametersEncoded));
foreach ($parameters as $parameterName => $parameterValue) {
$this->$parameterName = $parameterValue;
}
// Check for the new content cache hash
if (strlen(t3lib_div::_GP('contentHash')) > 0) {
$this->content = t3lib_pageSelect::getHash($this->contentHash);
if (is_null($this->content)) {
die('Parameter Error: Content not available.');
}
}
// ***********************
// Check the file. If must be in a directory beneath the dir of this script...
// $this->file remains unchanged, because of the code in stdgraphic, but we do check if the file exists within the current path
......
$img->tempPath = $this->alternativeTempPath;
}
// Need to connect to database, because this is used (typo3temp_db_tracking, cached image dimensions).
$GLOBALS['TYPO3_DB']->sql_pconnect(TYPO3_db_host, TYPO3_db_username, TYPO3_db_password);
$GLOBALS['TYPO3_DB']->sql_select_db(TYPO3_db);
if (strstr($this->width.$this->height, 'm')) {$max='m';} else {$max='';}
$this->height = t3lib_div::intInRange($this->height,0);
......
if ($this->frame) {$this->frame = intval($this->frame);}
$imgInfo = $img->imageMagickConvert($this->file,'web',$this->width.$max,$this->height,$img->IMparams($this->effects),$this->frame,'');
if (strlen($this->content) > 0) {
// insert image in cached HTML content
if (is_array($imgInfo)) {
$this->content = str_replace('###IMAGE###', $img->imgTag($imgInfo), $this->content);
}
} else {
// Create HTML output:
$this->content .= '
// Create HTML output:
$this->content='';
$this->content.='
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
......
</head>
'.($this->bodyTag ? $this->bodyTag : '<body>');
if (is_array($imgInfo)) {
$wrapParts = explode('|',$this->wrap);
$this->content.=trim($wrapParts[0]).$img->imgTag($imgInfo).trim($wrapParts[1]);
}
$this->content.='
if (is_array($imgInfo)) {
$wrapParts = explode('|',$this->wrap);
$this->content.=trim($wrapParts[0]).$img->imgTag($imgInfo).trim($wrapParts[1]);
}
$this->content.='
</body>
</html>';
}
}
/**
(2-2/4)