Patch for File Path problems
| Project: | Random Images |
| Version: | 5.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | needs review |
Thanks for the module, I found it very useful for randomizing a decorative graphic at one of the websites I work for.
Although the 5.x-1.x-dev version is working with absolute system paths for the random image directory I still found problems with it, and would like to suggest a few improvements contained in the patch attached. This should help all of you who have had trouble setting the filepath correctly.
Problems:
A) When entering a system path, the module checks that the path exists and otherwise prints an error message. But it doesn't check, whether the system path is within the website's document root directory. If the path is not within the document root directory, the image link(s) will not work.
So, entering the full system path has no advantage over entering the path relative to the document root directory and even can provide a security risk, because the directory structure is partially laid open.
B) If a path relative to the document root directory is entered, the module accepts the path despite the wrong entry, and so the image link(s) do not work.
As a solution I suggest to have 3 different possible ways to enter the filepath which are tightly checked and allow for backward compatibility with the system path in the current version:
1) System path: e.g. /srv/www/htdocs/files/
This case already works now, but also has to be checked to be within the website where Drupal is running.
2) Path relative to the document root: e.g. /files
Despite the relative path I suggest to use a / in front of the path to differentiate it from the third case. The existence of the directory is checked relative to the document root.
3) Path relative to the Drupal installation directory: e.g. files
The existence of the path is checked relative to the document root and base path of Drupal.
You can apply the attached patch to the Version 5.x-1.x-dev from 2007-Nov-28 using $patch < random_image-5.x-1.1-filepath.patch.
It would be nice, if this functionality could be brought into the dev version and maybe a new released version be created.
Please let me know if there should be problems using it.
Regards,
Christian.
| Attachment | Size |
|---|---|
| random_image-5.x-1.1-filepath.patch.gz | 1.17 KB |