Re: Attachment Mod 2.0.1 by Frank H

I run install_mod.php and it says: "You are running a version of PunBB (1.2.12) that this mod does not support. This mod supports PunBB versions: 1.2, 1.2.1, 1.2.3, 1.2.4, 1.2.5"
What to do?

Michael aka Emilien @ My Opera Community: http://my.opera.com/michael_aka_emilien

302 (edited by Frank H 2006-09-27 09:08)

Re: Attachment Mod 2.0.1 by Frank H

follow the installation guide mentioned in the first post of this thread. (especially about "Installing on 1.2.6+")

303 (edited by Michael aka Emilien 2006-09-27 09:17)

Re: Attachment Mod 2.0.1 by Frank H

Nothing new. sad((
I've just installed thiz mod, without any other mods

Michael aka Emilien @ My Opera Community: http://my.opera.com/michael_aka_emilien

304

Re: Attachment Mod 2.0.1 by Frank H

First of all, you need to edit install_mod.php to allow 1.2.XX. Where XX is the version you're running (or it will just say it's not the correct version when you try to run it)

305

Re: Attachment Mod 2.0.1 by Frank H

Hi,

I did a mod to Attachment Mod 2.0.1here : http://georezo.net/forum/download.php

If you are interested i can give the code to Franck.

Cheers

Fred

306

Re: Attachment Mod 2.0.1 by Frank H

You can always release it as a mod, on a mod smile

(I tried to write it so that others would be able to use bits and pieces ... and for the mod to PunBB 1.3 I'll try to make it even more universal)

307

Re: Attachment Mod 2.0.1 by Frank H

I need time to translate it, but i ll do it ! In case on emergency please let me know wink

308

Re: Attachment Mod 2.0.1 by Frank H

The NULL byte exploit that PunBB was patched for, was also in the Attachment Mod, it is now patched with an updated administrative plugin.
(It is only exploitable by administrators, but I still encourage everyone to update the plugin).

To patch your mod, download the updated plugin from PunBB Resource and overwrite the file in the plugins folder on your forum.
(The zipfile is called "AP_Attachment_Mod-Patch_NULL_vuln.zip")

309 (edited by volker 2006-09-28 00:19)

Re: Attachment Mod 2.0.1 by Frank H

Hey Frank H

We are running a PunBB forum, and have installed your attachment mod, all seems fine but we are getting this error message...  bill the guy that knows more than me in this area sent me this to post

MySQL 4.1.21-log    Rows: 52846    Size: 4.18 MB
Operating system: Linux   PHP: 5.1.5   PunBB 1.2.7

We do have a Image Upload mod running, but thats working fine...

Notice: Undefined index: attach_cur_version in
/www-vhost/www.hed.swin.edu.au/design/nidr/forum/plugins/AP_Attachment_Mod.php on line 1090

Config table has been updated and new tables have been added.  Folder with
long random name was created in the attachments folder

If you have any ideas we would love to know any angles we need to look at... and if you need any more info I will try to get it...   we have looked over the "Installing the mod on PunBB 1.2.6+" site trying to work this bug out...

Our small forum is at
http://www.hed.swin.edu.au/design/nidr/forum/

Regards
Volker

310

Re: Attachment Mod 2.0.1 by Frank H

Sounds like the cachefiles haven't been updated, check that the "attach_cur_version" is in the cache_config.php, if it isn't there, remove the cachefile, and let punbb generate a new cachefile.

311

Re: Attachment Mod 2.0.1 by Frank H

Frank H, something like hdiff for updated (NULL byte exploit) AP_Attachment_Mod would be very nice smile

312

Re: Attachment Mod 2.0.1 by Frank H

I'll see if I can fix something when I get back from work (but I'm working late today, so I might not be able to do it today)

all changes are at one place (oh, and the little update text I put at the top)
search for "< >" and you'll probably find the changes smile  (I had written something about "...later replace < > | ? * " ..." or such ...

313

Re: Attachment Mod 2.0.1 by Frank H

Dexus wrote:

Frank H, something like hdiff for updated (NULL byte exploit) AP_Attachment_Mod would be very nice smile

no hdiff(don't have it installed), but a simple cut'n paste wink

Find (line 879)

    // rewrite stuff from POST variables
    $form['use_icon'] = intval($_POST['use_icon']);
    $form['icon_folder'] = $_POST['icon_folder']; //later strip out all < > | ? * " from the string, to try to up the safety
    $form['icon_extension'] = $_POST['icon_extension']; //later strip out all \ / < > | ? *  from the string, to try to up the safety
    $form['icon_name'] = $_POST['icon_name']; //later strip out all \ / < > | ? *  from the string, to try to up the safety
    $form['create_orphans'] = intval($_POST['create_orphans']);
    $form['always_deny'] = $_POST['always_deny']; //later strip out all \ / < > | ? *  from the string, to try to up the safety
    $form['max_size'] = intval($_POST['max_size']);
    $form['basefolder'] = $_POST['basefolder']; //later strip out all < > | ? * " from the string, to try to up the safety

Replace with

    // rewrite stuff from POST variables
    $form['use_icon'] = intval($_POST['use_icon']);
    $form['create_orphans'] = intval($_POST['create_orphans']);
    $form['max_size'] = intval($_POST['max_size']);
    // remove unallowed chars
    $attach_replace_matches = array('<','>','|','?','*',"\0"); //strip out all < > | ? * NULL from the string, to try to up the safety
    $form['icon_extension'] = str_replace($attach_replace_matches,'',$_POST['icon_extension']);
    $form['icon_name'] = str_replace($attach_replace_matches,'',$_POST['icon_name']);
    $form['always_deny'] = str_replace($attach_replace_matches,'',$_POST['always_deny']);
    $attach_replace_matches[] = '"'; // add the " to unallowed chars
    $form['icon_folder'] = str_replace($attach_replace_matches,'',$_POST['icon_folder']);
    $form['basefolder'] = str_replace($attach_replace_matches,'',$_POST['basefolder']);

That should make the poison null vulnerability a thing of the past wink

314 (edited by d-town 2006-10-02 16:00)

Re: Attachment Mod 2.0.1 by Frank H

If someone could help me please. When I try and run the install for the attachment mod i get this..

PunBB reported: Unable to copy .htaccess file to new subfolder

ive set the write permissions for the php file to full access.

i also recieved this when trying to view my topic... Error: Unable to fetch if there were any attachments to the post.

what do i need to do. thanks!

315

Re: Attachment Mod 2.0.1 by Frank H

you probably have safemode on the server, you must disable it to get uploads to work (and you need to run install_mod.php sucessfully before using viewtopic.php)

316 (edited by d-town 2006-10-02 17:13)

Re: Attachment Mod 2.0.1 by Frank H

ok so i changed it. but what do i need to do to not make is so vunerable.

317

Re: Attachment Mod 2.0.1 by Frank H

no im getting this error...


PunBB reported: Unable to add column "attach_always_deny" to config table

318

Re: Attachment Mod 2.0.1 by Frank H

are you by any chanse trying to use it on a sqlite database? (if so, the mod doesn't work, as mentioned on the first post of this thread)

if not, do you already have the tables in the config table? (check with a tool such as phpmyadmin or similar)


(sorry for the late reply, but I've been working my ass off the last couple of days ... (including the weekend))

319

Re: Attachment Mod 2.0.1 by Frank H

I'm having an issue where I don't get the correct number of 'choose file' or 'browse' buttons on the new post page.  In the mod settings I have set this to 5 for all users but I only get one browse button.  The code doesn't seem to check if multiple browse buttons are required


        <fieldset>

                    <legend><?php echo $lang_attach['Attachment'] ?></legend>

                    <div class="infldset">

                        <div class="rbox">

                            <input type="hidden" name="MAX_FILE_SIZE" value="<?php print $attach_size; ?>" /><input type="file" name="attached_file" size="80" tabindex="<?php echo $cur_index++ ?>" /><br />

                            <?php echo $lang_attach['Note'] ?>

                        </div>

                    </div>

                </fieldset>




I went back to the install instructions and belive I did everything correctly - can you see what I have missed?

Thanks in advance

320

Re: Attachment Mod 2.0.1 by Frank H

I also have an error when I try to edit a post with an attachment.  Underneath the original post when it is meant to list the attachments it says

Notice: Undefined variable: attach_allowed in /www-vhost/www.hed.swin.edu.au/design/nidr/forum/edit.php on line 500

I cleared the config cache file again but the problem persists

thanks in advance

321

Re: Attachment Mod 2.0.1 by Frank H

@volker: First off, it will only show one upload field, to add more files you need to edit the message. (I don't like javascripts, as I find it to bloat everything, and you might have 100 allowed files for some groups (admins are unlimited), and it shouldn't add one field for each ... + it's less code with this solution)
From the readme.txt

##                    And as a further upgrade, posts are no longer limited to
##                    one attachment per post. I still have a limit of one file
##                    per opportunity (i.e. one on post creation, rest on edit),
##                    but the admin set the limit of max files per post, a per 
##                    group and per forum basis.

Secondly, it sounds like you've missed a step in the edit.php file, recheck that all edits are in the file.

--------------------------------------------------------------------------------------------

@Everyone: I'm REALLY busy at work at the moment, and will be for at least until the end of the year, so I might be slow at answering questions. I hope you all will understand.
I was planning on releasing an 'intermediate' release for 1.2.13 (as there has been a lot more questions lately, a bunch seemingly related to safemode on, that I guess some hosts has started to used recently + using the mod with a bunch more mods, I'm sorry for yo uaffected by this, that I haven't found time to look deeply into this) ...

Anyhow, considering that PunBB 1.3 is somewhere in the horizon, I'm not sure I'll have the energy to do it, as it will all change to that release, but still be compatible with the already saved files from the current mod.
(I'll try to do an easy installing extension out of it, but it will require some work, and if you can wait for PunBB 1.3 + time needed for me to fix the extension, it might be a bit easier for you if you wait for that, and perhaps only need to upload, change permissions, run the installer)...

Do note that I'm not saying you shouldn't use this mod, I'm just saying it probably will be a much easier thing to use as an extension ... and if you feel you don't like editing the 50 or so steps, you might be able to cope until PunBB 1.3

Now I need to eat something and head off to bed, so I can get up tomorrow morning wink

322

Re: Attachment Mod 2.0.1 by Frank H

we just redid the edit.php changes and it was exactly the same.  It looks like there are large chunks of missing code in edit.php that are needed to get and display the details of any existing attachments.  Down around line 500 where it checks

if($attach_allowed){


none of those variables have actually been defined.

We are in the process of hacking it together now

323

Re: Attachment Mod 2.0.1 by Frank H

ok here's our hack for edit.php

this gives ALL users the same permissions regarding attachments within the edit page. Not ideal obviously but we didn't see it as a major issue as guest can't get to the edit page and we are happy for members to delete their own attachments and add more



----FIND


<li><a href="help.php#smilies" onclick="window.open(this.href); return false;"><?php echo $lang_common['Smilies'] ?></a>: <?php echo ($pun_config['o_smilies'] == '1') ? $lang_common['on'] : $lang_common['off']; ?></li>
                        </ul>
                    </div>
                </fieldset>






------AFTER ADD
//hard code attach settings and grab existing attachments for this post
$attach_allowed=true;
    $attach_allow_delete=true;

    $attach_allow_owner_delete=true;

    $attach_allow_upload=true;

    $attach_allow_size=$pun_config['attach_max_size'];

    $attach_per_post=5;
    $attach_allowed=true;
$attach_output='';
$attach_output_two='';
    $result_attach=$db->query('SELECT af.id, af.owner, af.filename, af.extension, af.size, af.downloads FROM '.$db->prefix.'attach_2_files AS af WHERE post_id=\''.$id.'\'')or error('Unable to fetch current attachments',__FILE__,__LINE__,$db->error());

    if($db->num_rows($result_attach)>0){

        //time for some output ... create the existing files ...

        $i=0;

        while(list($attach_id,$attach_owner,$attach_filename,$attach_extension,$attach_size,$attach_downloads)=$db->fetch_row($result_attach)){

            if(($attach_owner==$pun_user['id']&&$attach_allow_owner_delete)||$attach_allow_delete)

                $attach_output .= '<br />'."\n".'<input type="checkbox" name="attach_delete_'.$i.'" value="'.$attach_id.'" />'.$lang_attach['Delete?'].' '.attach_icon($attach_extension).' <a href="./attachment.php?item='.$attach_id.'">'.$attach_filename.'</a>, '.$lang_attach['Size:'].' '.number_format($attach_size).' '.$lang_attach['bytes'].', '.$lang_attach['Downloads:'].' '.number_format($attach_downloads);

            else

                $attach_output_two .= '<br />'."\n".attach_icon($attach_extension).' <a href="./attachment.php?item='.$attach_id.'">'.$attach_filename.'</a>, '.$lang_attach['Size:'].' '.number_format($attach_size).' '.$lang_attach['bytes'].', '.$lang_attach['Downloads:'].' '.number_format($attach_downloads);

            $i++;

        }

        if(strlen($attach_output)>0)

            $attach_output = '<input type="hidden" name="attach_num_attachments" value="'.$db->num_rows($result_attach).'" />'.$lang_attach['Existing'] . $attach_output;

        if(strlen($attach_output_two)>0)

            $attach_output .= "<br />\n".$lang_attach['Existing2'] . $attach_output_two;

        $attach_output .= "<br />\n";

    }else{

        // we have not existing files

    }
   
   
   
    if(strlen($attach_output)>0)$attach_output .= "<br />\n";

    if($attach_per_post==-1)$attach_per_post = '<em>unlimited</em>';

    $attach_output .= str_replace('%%ATTACHMENTS%%',$attach_per_post,$lang_attach['Upload'])."<br />\n".'<input type="hidden" name="MAX_FILE_SIZE" value="'.$attach_allow_size.'" /><input type="file" name="attached_file" size="80" />';













I'm sure someone can find a cleaner way to do this - I'll watch this thread

cheers

324

Re: Attachment Mod 2.0.1 by Frank H

that edit shouldn't need to be there, perhaps you have another mod that interfer within edit.php?
(seems to me you're missing at least step 15 in the readme.txt, as that's where the variables are defined... edit.php is affected by steps 9 to 19)

325

Re: Attachment Mod 2.0.1 by Frank H

I didn't read EVERY page of this thread, but here are a couple fixes (hopefully not already posted):

1) Get rid of excess queries for every post

Okay, part one here deals with this piece of code:

//fetch the rules of the forum, and check so that the user is allowed to download.
            $result_attach_two = $db->query('SELECT ar.rules FROM '.$db->prefix.'attach_2_rules AS ar WHERE ar.group_id=\''.$pun_user['group_id'].'\' AND ar.forum_id='.$cur_topic['forum_id'].' LIMIT 1')or error('Unable to fetch rules for the attachments', __FILE__, __LINE__, $db->error());
            if($db->num_rows($result_attach_two)==1){
                list($attach_rules)=$db->fetch_row($result_attach_two);
                $attach_allow_download = attach_rules($attach_rules,ATTACH_DOWNLOAD);
            }

There is no conceivable reason why the attachment rules would need to be checked for every post because the user's group_id and forum_id don't change for each post.  The fix?  Move this above or below the SQL block beginning with "// Retrieve the posts (and their respective poster/online status)", whichever tickles your fancy.  Oh, and if I've somehow gotten this wrong and this query isn't run every post (since it's just completely silly to be doing it) I apologize, but it seems to me that it is smile

Now for part two, dealing with this:

// Check if this post has any attachments
    $result_attach = $db->query('SELECT af.id, af.filename, af.size, af.downloads FROM '.$db->prefix.'attach_2_files AS af WHERE af.post_id='.$cur_post['id']) or error('Unable to fetch if there were any attachments to the post', __FILE__, __LINE__, $db->error());
    $attach_num = $db->num_rows($result_attach);
    if($attach_num > 0){ ...

You can cut this part out pretty easily by adding the following to your post retrieval query

LEFT JOIN '.$db->prefix.'attach_2_files AS af ON af.post_id=p.id

This simply says "additionally, grab all posts that also have a corresponding attachment".  Of course, since you can have more than one attachment per post, we need to clean dupes.  Now, because of how PunBB is setup, we need to add a loop before the fact and get all the attachments for a specific post and clean dupes that way.  If you want an arguably faster solution, you could build all the info for posts prior to outputting the template for a post instead of having the html spit out every loop, but I won't go into that.

FIND

while($cur_posts = $db->fetch_assoc($result) 
{

REPLACE WITH

// i added this method to dblayer/pgsql.php, you could use <db>_fetch_all($result) also
$posts = $db->fetch_all($result);
$x = 0;
$post_ids = array();
foreach($posts as $post) 
{
    // if it has an attachment
    if($post['attach_id'] != '') 
    {
        // MAY NEED TO BE CHANGED! Or made dynamic, but I'm lazy.  This basically depends on how many mods you have that affect the posts query.
                // in reality the slice isn't even necessary, it just cuts down on array size
        $attachments[$post['id']][] = array_slice($post,22,4);
    }
    // if this post is a dupe
    if(in_array($post['id'],$post_ids))
    {
        // remove it
        array_splice($posts,$x,1);
    }
    $post_ids[] = $post['id'];
    $x++;
}
foreach ($posts as $cur_post)
{

From here it's just simple changes to the loop that generates $attach_output, and you're done!  I would paste those changes, but I haven't actually bothered to go through and make them yet (or even install the mod tongue)  I read that you didn't want to alter PunBB's posts query, but the fact is that almost all mods change the fundamental queries on pages, this is to limit the number of queries.  Near as I can tell, you're adding n*2 queries per viewtopic page, where n = # replies.  That number can add up pretty fast, and although JOINs add overhead to a query, it's not as bad as asking the DB for stuff 30 times per page or more.  However, I still respect your decisions for the mod and am posting this more for those who want to replace your queries with a quick LEFT JOIN and PHP loop.


2) PostgreSQL Install Support

Since no mod developer anywhere seems to understand that MySQL syntax != standard, I've taken the liberty of posting the raw SQL for creating your tables in PostgreSQL below.  Obvious changes need to be made (pun_ replaced by $db->prefix, etc).

CREATE SEQUENCE "public"."pun_attach_2_files_id_seq";

CREATE TABLE "public"."pun_attach_2_files" (
  "id" SERIAL, 
  "owner" INTEGER DEFAULT 0 NOT NULL, 
  "post_id" INTEGER DEFAULT 0 NOT NULL, 
  "filename" VARCHAR(20) DEFAULT 'error.file'::character varying NOT NULL, 
  "extension" VARCHAR(64) DEFAULT 'error.file'::character varying NOT NULL, 
  "mime" VARCHAR(64), 
  "location" TEXT, 
  "size" INTEGER DEFAULT 0 NOT NULL, 
  "downloads" INTEGER DEFAULT 0 NOT NULL, 
  CONSTRAINT "pun_attach_2_files_pkey" PRIMARY KEY("id")
);

CREATE SEQUENCE "public"."pun_attach_2_rules_id_seq";

CREATE TABLE "public"."pun_attach_2_rules" (
  "id" SERIAL, 
  "forum_id" INTEGER DEFAULT 0 NOT NULL, 
  "group_id" INTEGER DEFAULT 0 NOT NULL, 
  "rules" INTEGER DEFAULT 0 NOT NULL, 
  "size" INTEGER DEFAULT 0 NOT NULL, 
  "per_post" SMALLINT DEFAULT 1 NOT NULL, 
  "file_ext" VARCHAR(200), 
  CONSTRAINT "pun_attach_2_rules_pkey" PRIMARY KEY("id")
);

I went with a VARCHAR for the file_ext field because it's impossible that someone would need a TEXT block to enter some file extensions...


And of course, thanks for creating the mod big_smile