Permalink
Browse files

Added trusted site white listing

  • Loading branch information...
1 parent a768682 commit 8560f7a57f8a94608f515f6ca8b111b72410fff3 Alistair Kearney committed Mar 4, 2009
Showing with 95 additions and 7 deletions.
  1. +11 −6 README
  2. +48 −1 extension.driver.php
  3. +36 −0 lib/image.php
View
17 README
@@ -1,7 +1,7 @@
JIT Image Manipulation
------------------------------------
-Version: 0.9
+Version: 1.0
Author: Alistair Kearney (alistair@symphony21.com)
Build Date: 3rd March 2009
Requirements: Symphony 2.0.2 or later
@@ -13,8 +13,8 @@ This is a replacement for the /image/X style "just in time" image manipulation f
** Note: The latest version can alway be grabbed with "git clone git://github.com/pointybeard/jit_image_manipulation.git"
-Before you install, it is worth noting that the root .htaccess will be modified. Should you have any modifications, it would
-be worth backing up the original first.
+Before you install, it is worth noting that the root .htaccess will be modified. Should you have any modifications,
+it would be worth backing up the original first.
1. Upload the 'jit_image_manipulation' folder in this archive to your Symphony 'extensions' folder.
@@ -23,13 +23,18 @@ be worth backing up the original first.
[USAGE]
-** Note: This extension is backwards compatible with the old (pre 2.0.2) url style. However, this may change in future releases.
-Image manipulation is controlled via the URL. There are 4 'modes', each with slightly different URL structures
+Basics:
+ Image manipulation is controlled via the URL. There are 4 'modes', each with slightly different URL structures
+ ## TODO: Outline the 4 modes here
-## TODO: Outline the 4 modes here
+Trusted Sites:
+
+ In order pull images from external sources, you must set up a white-list of trusted sites. To do this,
+ goto "System > Preferences" and add rules to the "JIT Image Manipulation" rules textarea. To match anything
+ use a single asterisk (*).
[CREATION OF NEW FILTERS]
View
@@ -4,14 +4,58 @@
public function about(){
return array('name' => 'JIT Image Manipulation',
- 'version' => '0.9',
+ 'version' => '1.0',
'release-date' => '2009-03-03',
'author' => array('name' => 'Alistair Kearney',
'website' => 'http://pointybeard.com',
'email' => 'alistair@pointybeard.com')
);
}
+ public function getSubscribedDelegates(){
+ return array(
+ array(
+ 'page' => '/system/preferences/',
+ 'delegate' => 'AddCustomPreferenceFieldsets',
+ 'callback' => 'appendPreferences'
+ ),
+
+ array(
+ 'page' => '/system/preferences/',
+ 'delegate' => 'Save',
+ 'callback' => '__SavePreferences'
+ ),
+ );
+ }
+
+ public function trusted(){
+ return @file_get_contents(MANIFEST . '/jit-trusted-sites');
+ }
+
+ public function saveTrusted($string){
+ return @file_put_contents(MANIFEST . '/jit-trusted-sites', $string);
+ }
+
+ public function __SavePreferences($context){
+ $this->saveTrusted(stripslashes($_POST['jit_image_manipulation']['trusted_external_sites']));
+ }
+
+ public function appendPreferences($context){
+ $group = new XMLElement('fieldset');
+ $group->setAttribute('class', 'settings');
+ $group->appendChild(new XMLElement('legend', 'JIT Image Manipulation'));
+
+ $label = Widget::Label('Trusted Sites');
+ $label->appendChild(Widget::Textarea('jit_image_manipulation[trusted_external_sites]', 10, 50, $this->trusted()));
+
+ $group->appendChild($label);
+
+ $group->appendChild(new XMLElement('p', 'Leave empty to disable external linking. Single rule per line. Add * at end for wild card matching.', array('class' => 'help')));
+
+ $context['wrapper']->appendChild($group);
+
+ }
+
public function install(){
$htaccess = @file_get_contents(DOCROOT . '/.htaccess');
@@ -49,6 +93,9 @@ public function install(){
}
public function uninstall(){
+
+ if(file_exists(MANIFEST . '/jit-trusted-sites')) unlink(MANIFEST . '/jit-trusted-sites');
+
$htaccess = @file_get_contents(DOCROOT . '/.htaccess');
if($htaccess === false) return false;
View
@@ -72,6 +72,42 @@ function processParams($string){
$image_path = ($param->external === true ? "http://{$param->file}" : WORKSPACE . "/{$param->file}");
+ if($param->external === true){
+
+ $rules = file(MANIFEST . '/jit-trusted-sites', FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
+ $allowed = false;
+
+ $rules = array_map('trim', $rules);
+
+ if(count($rules) > 0){
+ foreach($rules as $r){
+
+ $r = str_replace('http://', NULL, $r);
+
+ if($r == '*'){
+ $allowed = true;
+ break;
+ }
+
+ elseif(substr($r, -1) == '*' && strncasecmp($param->file, $r, strlen($r) - 1) == 0){
+ $allowed = true;
+ break;
+ }
+
+ elseif(strcasecmp($r, $param->file) == 0){
+ $allowed = true;
+ break;
+ }
+ }
+ }
+
+ if($allowed == false){
+ header('HTTP/1.0 404 Not Found');
+ exit(__('Error: Connecting to that external site is not permitted.'));
+ }
+
+ }
+
## Do cache checking stuff here
if($param->external !== true && CACHING === true){

0 comments on commit 8560f7a

Please sign in to comment.