You are not logged in.
- Topics: Active | Unanswered
Announcement
Pages: 1
#1 2006-08-08 17:26:24
New EFM - Backend security error
Hi,
i use new EFM V1.1.1 (xinha nightly from 8/8/2006) .
I call the editor from a php-file via Smarty, where most of the configuration is done in template file.
...
session_start();
$IMConfig = array();
$IMConfig['images_dir'] = "$imPath"; //
$IMConfig['images_url'] = "$imURL";
$IMConfig['thumbnail_prefix'] = 'thumb_';
$IMConfig['thumbnail_dir'] = '';
$IMConfig['resized_prefix'] = 'resized_';
$IMConfig['resized_dir'] = '';
$IMConfig['tmp_prefix'] = '_tmp';
$IMConfig['max_filesize_kb_image'] = $imMaxImageSize;
$IMConfig['max_filesize_kb_link'] = $imMaxLinkSize;
$IMConfig['max_foldersize_mb'] = 0;
$IMConfig['allowed_image_extensions'] = array("jpg","gif","png");
$IMConfig['allowed_link_extensions'] = array("jpg","gif","pdf","ip","txt",
"psd","png","html","swf",
"xml","xls","zip");
$IMConfig = serialize($IMConfig);
if(!isset($_SESSION['Xinha:ImageManager']))
{
$_SESSION['Xinha:ImageManager'] = uniqid('secret_code');
}
$IMConfig1 = jsaddslashes($IMConfig);
$IMConfig2 = sha1($IMConfig . $_SESSION['Xinha:ImageManager']);
......
xinha_config = xinha_config ? xinha_config() : new HTMLArea.Config();
...
if (xinha_config.ImageManager) {
xinha_config.ImageManager.backend_config = '<!--[$IMConfig1]-->';
xinha_config.ImageManager.backend_config_hash = '<!--[$IMConfig2]-->';
xinha_config.ImageManager.backend_config_secret_key_location = 'Xinha:ImageManager';
}
if (xinha_config.ExtendedFileManager) {
xinha_config.ExtendedFileManager.backend_config = '<!--[$IMConfig1]-->';
xinha_config.ExtendedFileManager.backend_config_hash = '<!--[$IMConfig2]-->';
xinha_config.ExtendedFileManager.backend_config_secret_key_location = 'Xinha:ImageManager';
}
...This is done so, because there is no possibilty to call php inside the template.
No, when i click the ImageManager-Button i get a "Backend security error"-Error.
Delivered Code:
if (xinha_config.ImageManager) {
xinha_config.ImageManager.backend_config = 'a:12:{s:10:\"images_dir\";s:44:\"C:/Programme/xampp/htdocs/pn762/pnTemp/files\";s:10:\"images_url\";s:35:\"http://localhost/pn762/pnTemp/files\";s:16:\"thumbnail_prefix\";s:6:\"thumb_\";s:13:\"thumbnail_dir\";s:0:\"\";s:14:\"resized_prefix\";s:8:\"resized_\";s:11:\"resized_dir\";s:0:\"\";s:10:\"tmp_prefix\";s:4:\"_tmp\";s:21:\"max_filesize_kb_image\";i:2000;s:20:\"max_filesize_kb_link\";i:5000;s:17:\"max_foldersize_mb\";i:0;s:24:\"allowed_image_extensions\";a:3:{i:0;s:3:\"jpg\";i:1;s:3:\"gif\";i:2;s:3:\"png\";}s:23:\"allowed_link_extensions\";a:12:{i:0;s:3:\"jpg\";i:1;s:3:\"gif\";i:2;s:3:\"pdf\";i:3;s:2:\"ip\";i:4;s:3:\"txt\";i:5;s:3:\"psd\";i:6;s:3:\"png\";i:7;s:4:\"html\";i:8;s:3:\"swf\";i:9;s:3:\"xml\";i:10;s:3:\"xls\";i:11;s:3:\"zip\";}}';
xinha_config.ImageManager.backend_config_hash = 'f16a931c2daf7f022651805257c1211c7fbf9b7f';
xinha_config.ImageManager.backend_config_secret_key_location = 'Xinha:ImageManager';
}
if (xinha_config.ExtendedFileManager) {
xinha_config.ExtendedFileManager.backend_config = 'a:12:{s:10:\"images_dir\";s:44:\"C:/Programme/xampp/htdocs/pn762/pnTemp/files\";s:10:\"images_url\";s:35:\"http://localhost/pn762/pnTemp/files\";s:16:\"thumbnail_prefix\";s:6:\"thumb_\";s:13:\"thumbnail_dir\";s:0:\"\";s:14:\"resized_prefix\";s:8:\"resized_\";s:11:\"resized_dir\";s:0:\"\";s:10:\"tmp_prefix\";s:4:\"_tmp\";s:21:\"max_filesize_kb_image\";i:2000;s:20:\"max_filesize_kb_link\";i:5000;s:17:\"max_foldersize_mb\";i:0;s:24:\"allowed_image_extensions\";a:3:{i:0;s:3:\"jpg\";i:1;s:3:\"gif\";i:2;s:3:\"png\";}s:23:\"allowed_link_extensions\";a:12:{i:0;s:3:\"jpg\";i:1;s:3:\"gif\";i:2;s:3:\"pdf\";i:3;s:2:\"ip\";i:4;s:3:\"txt\";i:5;s:3:\"psd\";i:6;s:3:\"png\";i:7;s:4:\"html\";i:8;s:3:\"swf\";i:9;s:3:\"xml\";i:10;s:3:\"xls\";i:11;s:3:\"zip\";}}';
xinha_config.ExtendedFileManager.backend_config_hash = 'f16a931c2daf7f022651805257c1211c7fbf9b7f';
xinha_config.ExtendedFileManager.backend_config_secret_key_location = 'Xinha:ImageManager';
}How can i change dynamically the images-dir and images-url as described above via php?!
Greetings
Sven
Offline
#2 2006-08-08 19:28:53
- koto
- Xinha Pro
- Registered: 2006-01-09
- Posts: 58
Re: New EFM - Backend security error
In the last code snippet - are there actual backslashes preceding quotes in the returned Smarty string?
xinha_config.ImageManager.backend_config = 'a:12:{s:10:\"images_dir\";s:44:\"C:/Programme/xampp/htdocs/pn762/pnTemp/files\";s:10:\"images_url\";s:35:\"http://localhost/pn762/pnTemp/files\";s:16:\"thumbnail_prefix\";s:6:\"thumb_\";s:13:\"thumbnail_dir\";s:0:\"\";s:14:\"resized_prefix\";s:8:\"resized_\";s:11:\"resized_dir\";s:0:\"\";s:10:\"tmp_prefix\";s:4:\"_tmp\";s:21:\"max_filesize_kb_image\";i:2000;s:20:\"max_filesize_kb_link\";i:5000;s:17:\"max_foldersize_mb\";i:0;s:24:\"allowed_image_extensions\";a:3:{i:0;s:3:\"jpg\";i:1;s:3:\"gif\";i:2;s:3:\"png\";}s:23:\"allowed_link_extensions\";a:12:{i:0;s:3:\"jpg\";i:1;s:3:\"gif\";i:2;s:3:\"pdf\";i:3;s:2:\"ip\";i:4;s:3:\"txt\";i:5;s:3:\"psd\";i:6;s:3:\"png\";i:7;s:4:\"html\";i:8;s:3:\"swf\";i:9;s:3:\"xml\";i:10;s:3:\"xls\";i:11;s:3:\"zip\";}}';
xinha_config.ImageManager.backend_config_hash = 'f16a931c2daf7f022651805257c1211c7fbf9b7f';
If so, try disabling magic_quotes_gpc and magic_quotes_runtime PHP setting (i.e. set them to 'off'). This might be done in php.ini / .htaccess file depending on your environment.
Also, to test if this issue is solely related to EFM, you could try disabling it and enabling ImageManager plugin with the same config (settings are compatible between both plugins) and checking if IM works ok.
I personally use the similar approach as you - php file parsed by Smarty that outputs javascript config string and writes backend configuration to PHP session. It works ok.
Cheers,
Chris Kotowicz
Offline
#3 2006-08-09 15:05:39
Re: New EFM - Backend security error
magic_quotes_gpc Off Off
magic_quotes_runtime Off Off
magic_quotes_sybase Off Off
Nothing.
I also tried ImageManager with same config - same error.
Any other idea or tip for me to get EFM/ImageManager running with dynamic-folders?
Is there any other possibility to change parameters for dir/url??
Offline
#5 2006-08-10 08:39:32
- koto
- Xinha Pro
- Registered: 2006-01-09
- Posts: 58
Re: New EFM - Backend security error
if you're using PHP5 you could dump the session variables as they are available from config.php script using file_put_contents() function
e.g. insert this:
file_put_contents('session.log', var_export($_SESSION, true));
somewhere after session_start() in config.php and check the file.
Compare tha data with the variables added by your init file.
Cheers,
Chris Kotowicz
Offline
#7 2006-08-12 15:55:54
- koto
- Xinha Pro
- Registered: 2006-01-09
- Posts: 58
Re: New EFM - Backend security error
PHP 4 - no problem 
Offline
#8 2006-08-26 07:53:20
Re: New EFM - Backend security error
Hi there, i now have php5 running and tried getting a log file.
i created two log files:
first is written in php-file
...
$IMConfig = serialize($IMConfig);
if(!isset($_SESSION['Xinha:ImageManager']))
{
$_SESSION['Xinha:ImageManager'] = uniqid('secret_code');
}
$IMConfig1 = jsaddslashes($IMConfig);
$IMConfig2 = sha1($IMConfig . $_SESSION['Xinha:ImageManager']);
file_put_contents('PHPsession.log', var_export($_SESSION, true));
...delivery:
array (
...
'Xinha:ImageManager' => 'secret_code44f0284608964',
...Second one i write from EFM-config.inc.php
...
// Config specified from front end, check that it's valid
session_start();
file_put_contents('CONFIGsession.log', var_export($_SESSION, true));
if (!array_key_exists($_REQUEST['backend_config_secret_key_location'], $_SESSION))
die("Backend security error.");
...i got this:
array (
)whats wrong - is this information helpful?
perhaps you can show me your way with smarty ?!
Last edited by hilope (2006-08-26 07:54:11)
Offline
#10 2006-08-27 14:31:27
Re: New EFM - Backend security error
the second could be the one ... session started correctly.
sessionname is POSTNUKESID, how can i use it with EFM !?
perhaps IMConfig can be saved in standard-sessionid without confusing the other session generated from cms !?
can two sessions exist ? (i'm not familiar with sessions ... )
Offline
#11 2006-08-27 15:48:46
Re: New EFM - Backend security error
i tried something with the sessions-names.
my php-code where i write a .log with old sessionname an another .log with new (standard) sessionname:
...
file_put_contents(session_name().'.log', var_export($_SESSION, true));
// IM/EFM configuration start
session_name("PHPSESSID");
session_start();
$IMConfig = array();
...
$IMConfig = serialize($IMConfig);
if(!isset($_SESSION['Xinha:ImageManager']))
{
$_SESSION['Xinha:ImageManager'] = uniqid('secret_code');
}
$IMConfig1 = jsaddslashes($IMConfig);
$IMConfig2 = sha1($IMConfig . $_SESSION['Xinha:ImageManager']);
// for testing purposes
file_put_contents(session_name().'.log', var_export($_SESSION, true));
...also in config.inc.php i now used
...
file_put_contents(session_name().'.log', var_export($_SESSION, true));
...in result i have 2 identically files: POSTNUKESID.log and PHPSESSID.log
EFM writes a addditional PHPSESSID.log with empty array as shown 3 Posts before.
Offline
#12 2006-08-31 09:46:36
- koto
- Xinha Pro
- Registered: 2006-01-09
- Posts: 58
Re: New EFM - Backend security error
Sorry for the late response, i somehow deleted the RSS feeds for this forum so I didn't know anything was happening 
perhaps IMConfig can be saved in standard-sessionid without confusing the other session generated from cms !?
can two sessions exist ? (i'm not familiar with sessions ... )
I wouldn't recommend it (don't even know if that's possible). In PHP you have only one session for your script/application. This session is stored and accessed through the name that is automatically set in php.ini / .htaccess or session_name() call. However, you have to specify the session_name BEFORE calling session_start (and only first session_start() per HTTP request is being executed).
Additionally, it is possible that your session starts before even parsing your script if the session.auto_start is set in php.ini - in that case you have no control over the session_name from within your script.
Remove session_name('anysessionid') from both PHP scripts, and determine what's the session name is by default in each of them. If it's different:
- if session.auto_start is true in either php.ini / .htaccess file - you have to set the session.name variable in the same file.
- if it's false - you can safely call session_name('POSTNUKEID') before session_start() and try to debug later.
sometimes clearing the cookies in your browser might also help (escpecially if there are multiple sessionid cookies for different paths of your test server - there might be an old cookie somewhere that passes non-existing session_id for the backend.php script)
Cheers,
Chris Kotowicz
Offline
Pages: 1