CouchCMS • View topic - TimThumb got bug

Problems, need help? Have a tip or advice? Post it here.

4 posts Page 1 of 1

TimThumb got bug

: christopher81; Registered User

: Posts: 15; Joined: Fri Oct 17, 2014 12:37 pm

by christopher81 » Fri Oct 17, 2014 12:49 pm

Hi,

How come timthumb.php will auto update on the new version.

A TimThumb error has occured

The following error(s) occured:
No image specified

Query String :
TimThumb version : 2.8.14

I put back original file then the file still auto update again.

Kindly advise me.

Thanks.

Re: TimThumb got bug

: KK; Moderator

: Posts: 8732; Joined: Wed Dec 01, 2010 5:35 pm

by KK » Fri Oct 17, 2014 4:08 pm

Hi Chris,

I think the only explanation is that your host is trying to lend a 'helping hand' by upgrading the timthumb script that ships with Couch with the latest version of the original out there (there are security concerns about the original).

Problem is that our version has diverged so much from the original that it is no longer compatible so the upgrade won't work (and actually is unwarranted as it never had the security issues to begin with).

The only 'solution' that comes to my mind is to rename the couch/includes/timthumb.php to something else so as to avoid your host's concern.

It will also require patching the following 4 files that reference timthumb (i.e. change the names here too) -

\couch\ajax.php
require_once( K_COUCH_DIR.'includes/timthumb.php' );

\couch\page.php
require_once( K_COUCH_DIR.'includes/timthumb.php' );

\couch\tags.php
require_once( K_COUCH_DIR.'includes/timthumb.php' );

\couch\addons\data-bound-form\securefile.php
require_once( K_COUCH_DIR.'includes/timthumb.php' );

Hope this helps.

Re: TimThumb got bug

: tim; Registered User

: Posts: 467; Joined: Wed Aug 28, 2013 12:57 am

by tim » Mon Jul 13, 2015 11:40 pm

I run into this issue with one particular host I use. Every so often, they helpfully update the timthumb script to the latest version and I change it back to the Couch version from my backups. I finally decided to write them, explain the situation, and ask to be exempted from this apparently automated security update. They explained that it wasn't possible in a shared hosting environment, but offered the following suggestion, which I'll pass along.

You can tell a little white lie about the version number to prevent the file from being changed.

Code: Select all

if ( !defined('K_COUCH_DIR') ) die(); // cannot be loaded directly
define ('VERSION', '2.8.14'); // A little white lie to prevent automated security updates

I can attest that it doesn't break anything when added to the script. Whether it works will be harder to tell unless it doesn't. But this is an easier solution than changing the file name and all of the references to it in other files.

If this is a common enough issue, it might be worth adding the line to the file in the regular Couch distribution.

Re: TimThumb got bug

: KK; Moderator

: Posts: 8732; Joined: Wed Dec 01, 2010 5:35 pm

by KK » Tue Jul 14, 2015 4:04 am

Thanks for the tip, @tim.

Post a reply

Previous Next

4 posts Page 1 of 1

Return to Bug Reporting and Troubleshooting