new bbPress plugin: bbPress Attachments

bbPress Showcase » Plugins by _ck_

new bbPress plugin: bbPress Attachments

RSS

Started 5 months ago by _ck_ » latest reply by beduino
13 posts, 1,238 views.
This topic is not a support question

Tags:

pages: 1 2 Next »

_ck_

senior admin
Joined: Jul '06
Posts: 302
offline
Reputation:272
The long requested ability for members to be able to upload attachments is now available!

http://bbpress.org/plugins/topic/bb-attachments/

This is an early beta which does not deal with displaying inline images yet,
but you can help me beta test it and give feedback/bug reports.

Please note there are important security considerations
when allowing uploads of any kind to your server.

During beta-test the plugin defaults to only moderators (and above) can upload.
At your own risk you can open it to all members but keep in mind the plugin has not been tested extensively for security issues yet.

(demonstration of attachments below - note you cannot download
them unless you are logged in, which is a feature set by role)
Attachments
1. elephpant.jpg (39.4 KB, 15 downloads) 5 months old
2. readme.txt (2.8 KB, 6 downloads) 5 months old
Posted 5 months ago #
mciarlo1287

member
Joined: Feb '08
Posts: 15
offline
Reputation:44

The security issues concern me, but I don't know enough about them to try this beta, otherwise I would.

As far as I can tell, it has something to do with the permissions setup on the upload folder?

Posted 5 months ago #
_ck_

senior admin
Joined: Jul '06
Posts: 302
offline
Reputation:272

Well there are two elements of security to be concerned about. I believe I have addressed both, but until "experts" evaluate my code and technique I am not going to promise anything.

The first issue has to do with the fact a directory has to be CHMOD 777. That means it can be written by any user on the server - if you are on a shared host, then it's a concern, otherwise not really. Modern PHP tries to address this security issue with things like safe mode and open-base-dir but there's always a chance for a loophole around it. Then again, virtually any program that requires uploads needs a 777 directory and most can be safe.

The second issue is that if someone, somehow, tricked the plugin and managed to upload a .php file, they could in theory run the code on your server. This issue I believe I have addressed by not allowing the directory to be in the "web root" so it can never be executed through the web. It's impossible. However just like the shared server problem above, if someone somehow managed to upload a PHP file, in theory they might be able to run it from within you own server if they had an account and access.

Both cases would need a local user who somehow overrides several security checks. Should not be possible. But I am not going to say "impossible".

Posted 5 months ago #
mciarlo1287

member
Joined: Feb '08
Posts: 15
offline
Reputation:44

I'm glad to see you put such care in your code. We are on a shared server, so security is vital.

Posted 5 months ago #
stroem

new member
Joined: Jun '08
Posts: 1
offline
Reputation:1

I have a bbPress 0.9.02 with plugin : bozo 1.0 , signature 0.1.9 , polls 0.5.4 and attachments 0.1.2 activated , on a Fedora 8 with php 5 .
I have the dir on /home/stroe/bb-attachments with chmod 777 ( and I edit the bb-attachments.php for that ) , everythings it is OK , plugin work (?!) , but when I click on button "Upload" , I get a "seck1.gif (25.6 KB) error: failed" . And I have no attach to the post , but the error .
In phpMyadmin I have a database with a table "bb-attachments" with records ( id time , size , name , etc ) but status 2 and download 0 ! for all my try ....
What I did wrong ? ( sorry for my english )

PS default theme Kakumei with no modifications !

Posted 4 months ago #
_ck_

senior admin
Joined: Jul '06
Posts: 302
offline
Reputation:272

Error #2 is either a db write failure or a failure to copy/move the file from the temporary filename/directory to the destination (bb-attachments/)

Since you are saying you do have a listing for the upload in your db, that means it's the second kind of failure.

What exactly do you have $bb_attachments['path']= set to?

This is a demo of the bbPress Signatures plugin!
If you use my plugins, please considering donating to help continue their development.

Posted 4 months ago #
emmegildo

junior member
Joined: Jun '08
Posts: 5
offline
Reputation:5

hi, i wanted to test this plugin here. sorry..

Posted 3 months ago #
_ck_

senior admin
Joined: Jul '06
Posts: 302
offline
Reputation:272
Inline image testing for version 0.1.5

bbcode testing for 0.1.6
Attachments
1. elephpant.jpg (39.4 KB, 3 downloads) 2 months old
2. rainbow.bmp (1 KB, 2 downloads) 2 months old
3. elephpant.jpg (39.4 KB, 6 downloads) 2 months old
4. readme.txt (3.2 KB, 0 downloads) 2 months old
Posted 2 months ago #
ugii

new member
Joined: Aug '08
Posts: 1
offline
Reputation:1
installing attachments is quite difficult.
Attachments
1. images.jpeg (3 KB, 8 downloads) 1 month old
Posted 1 month ago #
_ck_

senior admin
Joined: Jul '06
Posts: 302
offline
Reputation:272

Really? It requires uploading one folder and making another.
How difficult is that?

Posted 1 month ago #