Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

'On the Fly' Auto Thumbnailer using GD Library


Guest

Recommended Posts

Hi Nate,

 

I have only recently come across this mod after a few colleagues asking for a way to fix the scaling issues with osCommerce.

 

I commend you on the work you have done to step around the lack of control over images and I think this mod is a step in the right direction.

 

I have tried to read this thread as thoroughly as possible but it is cluttered heavily with code pasting etc so if this has been covered I apologise.

 

I have installed this patch and it worked as expected, but after reading the code more closely I found a potential point for a DoS attack against this script. I have reviewed the code and tested on 2 of my servers and confirm that the following may cause serious server exhaustion and disruption to services on the box.

 

This ties in very closely to the 'generating on the fly' method that this script uses (please bare with me). Although the generation of thumbnails dynamically (at time of request) will cause extra server load this is not the key concern I have (I have ideas for solutions to problems and I am happy to help).

 

 

------ The following includes descriptions of the scripts workings, I appreciate you know how it works but I have detailed these background steps to provide clarity to the problem ------

 

The code in question resides in the product_thumb.php code that is used to generate the thumbnail on the fly. This code or 'page' is passed 2 critical variables from the main page (from user settings) these 2 variables being 'h' and 'w' (height and width obviously). When this page is called inline the product height and width is passed from the oSCommerce product listing page to the product_thumb.php page to generate the thumbnail. What does not seem to be taken into account is the fact that these variables are made available to the client for manipulation (ie. product_thumb.php does not collect the image settings itself, but assumes the passed information is correct).

 

An example of this can be shown by calling the product_thumb.php generation page directly using.

 

www.yoururl.com/catalog/product_thumb.php?img=images/myimage.jpg&w=100&h=75

 

 

This may not seem to be a problem (the thumb should generate as expected if the source image exists) but it becomes a problem when the input variables are manipulated because there is no bounds checking the size of the integer passed in for 'h' and 'w'.

 

Take for example this request where w is replaced with an 'extremely large' number.

www.yoururl.com/catalog/product_thumb.php?img=images/myimage.jpg&w=999999&h=75

 

This process will tie up GD for the maximum execution time specified in the PHP settings on the server. This will not only tie up webserver resources but may cause a DoS to other users accessing the page if your allocation of server resources are met.

 

This was tested on both a dedicated and shared webserver resource with both consuming massive amounts of resources attempting to generate an image of this size (memory and CPU cycles).

 

The solutions:

 

1. The quick temporary solution is to add bounds checking to the 'h' and 'w' variables to limit their size to a static integer, eg. 2048. An alternative would be to check the height / width passed to the product_thumb.php page, and if these values are larger than the original image exit without processing (this does not fix 'extremely small' numbers or fractions which may cause errors on the server).

 

2. Use static settings inside the product_thumb.php page so the end user at no point has access to the size of the thumb being generated. These could then be modified by administrators to set the image size once in the file (this may cause concern to administrators not confident to edit code).

 

3. Have product_thumb.php access the values from the osCommerce configuration directly so the 'small image size' is seamless to the user and the product_thumb.php is protected from this form of attack.

 

4. (desired) I think the best solution would be to generate the thumb and the 'large image' once off the original when the original is uploaded. This is no doubt more work but would be a better long term solution. This could possible incoporate writing the image directly into a DB for better control over images and less requests to filesysystem functions in scripts (always a good thing).

 

These are my thoughts, I thought I would let you know about these in case they were not brought to your attention.

 

If they have already been brought to your attention I apologise and I hope, if nothing else this message adds some clarity to the problem / concerns.

 

Thanks, keep up the good work!

 

-Sam (bzchi)

Edited by bzchi
Link to comment
Share on other sites

  • Replies 313
  • Created
  • Last Reply

Top Posters In This Topic

Sorry to resurrect this thread for my previous post,

 

I would have started another thread for this information but most of the comments/feedback for this contribution are in this thread.

 

This thread was also linked from the contribution page, thats why I used it :)

Edited by bzchi
Link to comment
Share on other sites

bzchi,

Thank you, that is a very good point, and I had not considered the potential for an attack like that. Where security is concerned, I tend to focus on "hacks" that would compromise the integrity of the data or allow access to the system...

 

I think the best solution would simply be to move (or dup) some of the code that determines the image size and does the scaling to product_thumb.php. (a simple refferrer check could be stuck in, as well)

 

Generating the thumbnail version and saving it is not within the spirit of this particular mod - it is meant as an on the fly generator to eliminate file maintenance of xtra pics. There are a number of other mods already that generate/save the t/n image.

 

Thanks again for pointing that out, I will introduce a "fix" in the next release.

 

FlipC,

I figured some mod had to be in conflict ;) The image tag is generated just like the original tep_image, except the file it points to (the product_thumb.php file) generates a GIF/JPG/PNG header (so it is recognized by the browser as an image) and then of course builds the thumbnail.

** Please do not PM with personal support requests (even if offering "payment"). Thank you.

Link to comment
Share on other sites

bzchi,

Thank you, that is a very good point, and I had not considered the potential for an attack like that. Where security is concerned, I tend to focus on "hacks" that would compromise the integrity of the data or allow access to the system...

 

I think the best solution would simply be to move (or dup) some of the code that determines the image size and does the scaling to product_thumb.php. (a simple refferrer check could be stuck in, as well)

 

Generating the thumbnail version and saving it is not within the spirit of this particular mod - it is meant as an on the fly generator to eliminate file maintenance of xtra pics.  There are a number of other mods already that generate/save the t/n image.

 

Thanks again for pointing that out, I will introduce a "fix" in the next release.

I understand you created the mod for a specific purpose and I appreciate that.

 

After looking at other mods for the image management I still haven't found one that gives a good amount of control over all aspects of image sizes and storage.. so I have started a mod for this which is turning into pretty major code reworkings to try and slot it in.. I now see why people prefer to keep it simple (and elegant) :D

 

I just think this mod approaches the problem with the right attitude, and I think GD can be used here to solve a lot of problems, so great work :)

 

I am fairly new to osCommerce, but I am interested to know what most people are using for their image management (incase im missing something here?)

Edited by bzchi
Link to comment
Share on other sites

OK ive had a friend install this kindly for me and its not working. Basically when i upload a large image the thumbnail image or where it should be is just a red cross, when i go in and manually add a large image to the thumbnail section its ok.

 

I thought once this software was added i could just add a large image to the large image browse your desktop button and away I go.

 

Also my image is too bug for the product page itself. Have a look here.

 

http://www.tackandtackle.co.uk/product_inf...?products_id=35

 

 

Any help is greatly appreciated.

 

 

Small Image Width 100

Small Image Height 0

Heading Image Width 57

Heading Image Height 0

Subcategory Image Width 100

Subcategory Image Height 0

Calculate Image Size true

Image Required false

Small Image Width

Link to comment
Share on other sites

I now see why people prefer to keep it simple (and elegant)

You got it! I started to try modding the OTF thumbnailer so it wouldn't pass the width/height and boy, it's harder than i thought! I don't mind those thumbnail save ones, but none I see have an option to purge the unsused images when you're done with them ;)

 

Mark-UK,

The image in question is a bitmap (BMP), which is not currently supported in this version of the thumbnailer. The source image must be a GIF, JPG or PNG. I suppose I could add it, but I've seen many implimentations of GD where bitmaps were not supported.

 

As for the image size on product pages, you want to set both the max width and height and not leave either at "0". Generally, I set them to be the same, and the thumbnail will be that width or height, whichever dimension of the original picture is greater.

 

P.S. See the original contrib page for a simple alteration to your product page which allows for an "intermediate" sized image.

** Please do not PM with personal support requests (even if offering "payment"). Thank you.

Link to comment
Share on other sites

Sorry I dont understand this bit please explain.

 

 

As for the image size on product pages, you want to set both the max width and height and not leave either at "0". Generally, I set them to be the same, and the thumbnail will be that width or height, whichever dimension of the original picture is greater.

 

P.S. See the original contrib page for a simple alteration to your product page which allows for an "intermediate" sized image.

 

Oh and try this image, its a jpg, why is the image so big on the product page?????????????

 

Thanks for your help.

Edited by Mark-UK
Link to comment
Share on other sites

Mark-UK,

 

First

nate was saying your images can not be Bit Maps. (bmp)

Nor should they be as I belive compression is better with other formats as is cross platform visibility. So your first step is to change all of your BMPs into jpegs, gifs, or PNGs. (suggest Macromedias "Fireworks" for batch processing)

 

Secondly,

Within the Admins Image control settings.

If a person sets there image to "0" It disables OSC's resizing so the image will be it's natural size. So the reason your image is SO big would be becuase the IMAGE you uploaded IS that size.

 

Third,

Nates contrib uses code to scale an image down to

a nice thumbnail size. This size depends on the original pictures size and is a % of the bigger side and the smaller side is constrained so as not to distort the thumbnail being created.

 

Fourth,

It is possible to have this contrib create a MEDIUM sized image also.

Go to the page where you downloaded this contribution and read thorugh for this mod of the contrib.

 

Good Luck.

 

 

nate_02631

 

If I can give you access to a DEV model

of the same set up Im using would you be interested in looking into what is cuasing the contrib NOT to work correctly?

Edited by FlipC
Link to comment
Share on other sites

Thanks for fieldin' that one, FlipC ;)

 

As for accessing a dev sit, I'm not sure that would help much, as I'm not familiar with the various mods you've applied...

 

Where the contrib is concerned, the *guts* of it appear to be working fine (the part that scales the thumbnail) as evidenced by the link you posted prior. The problem seems to be with the tep_image function or something specific with your setup.

 

As for red X's, I do not see them, however where an image *ought* to be, I see it is referenced as simply /images - with no filename and *not* referencing it via the thumbnailer; and that the width and height of the non-image are both set to "0"...

 

From this, I might infer that you have your small image width/height set to "zero" (set both to a real #), that you have Calculate image Size in your oSC config set to "0" or false, and/or that the image filename source is not being passed to the tep_image function.

 

The first two are easy to check, for the latter I might suggest echoing the variable for the image src passed to the tep_image function within the function ($src) and see if it's blank or not what is expected.

** Please do not PM with personal support requests (even if offering "payment"). Thank you.

Link to comment
Share on other sites

my image settings are changed as follows below:

 

Small Image Width 100

Small Image Height 125

Heading Image Width 100

Heading Image Height 50

Subcategory Image Width 100

Subcategory Image Height 50

Calculate Image Size true

Image Required false

Small Image Width

 

BUT STILL THE IMAGE on my product page is huge. Do I need to downsize it for this or what. Do i need to upload a smaller image. Doe sthe image on the actual product page come from the image ive submitted to the large or thimbnail section in the admin when it says browse for image on pc etc.

 

Im getting annoyed and frustrated now.

Link to comment
Share on other sites

To make this compatible for GD Versions under 2 change the following line in product_thumb.php

 

$tmp_img = imagecreatetruecolor($_GET['w'],$_GET['h']);

 

to

 

$tmp_img = imagecreate($_GET['w'],$_GET['h']);

 

I'm no php expert, but this worked for me using GD 1.6

If using the version 1.1 of OTF from July 7th, you also need to swap the commenting around on these two lines as imagecopyresampled() is a GD2+ function :

 

//imagecopyresized($tmp_img, $src, 0, 0, 0, 0, $_GET['w'], $_GET['h'], $image[0], $image[1]);
imagecopyresampled($tmp_img, $src, 0, 0, 0, 0, $_GET['w'], $_GET['h'], $image[0], $image[1]);

 

(edit - in product_thumb.php that is)

Edited by graham_b
Link to comment
Share on other sites

The reason I found that is I'm the bloke who tried to install this on Mark-UKs site and have just replicated the install of the contrib on a site I'll be developing soon..

 

I didn't do anything different in his than I did in mine, except make the two changes above for GD1.6 (I've been very remiss in updating my binaries :D) and it worked off the bat.

 

So I suspect you're right, nate - there must be additional contribs or modifications that are affecting the image size settings.

 

I'll pass it on.

Link to comment
Share on other sites

nate,

 

Sorry once again I had it removed when you looked at it. Still screwing around with it.

Here's a link to look at

Broken Image

This one is the DEV site I refered to.

Its a clone of my site set up except for graphically. I wont be changing that one so it will be exactly what I was referring to.

 

I initially assumed for your contrib to work one must

set the image scalling within OSC OFF (or 0) . Are you saying this is not the case?

 

My apologies but my PHP is limited.

I understadn echoing HTMl within PHP but not

echoing the variable for the image src passed to the tep_image function within the function ($src) and see if it's blank or not what is expected
. Can you please post here?
Link to comment
Share on other sites

Ha! well nate, you got me thinking again after I had given up and bam - I figured it out. It was that darn old "apostrophe/single quote" problem. When the title has an apostrophe in it the thumb doesn't show up, even though it was clearly in the html.

Yup, I had the same problem - a couple of images weren't showing up, and they both had - 's - in the product name -- so, here is what i did to 'fix' the problem:

 

in catalog/product_info.php - line 134 or so (contribs, you know):

 

change

document.write('<?php echo '<a href="java script:popupWindow(\\\'' . tep_href_link(FILENAME_POPUP_IMAGE, 'pID=' . $product_info['products_id']) . '\\\')">' . tep_image(DIR_WS_IMAGES . $product_info['products_image'], addslashes($product_info['products_name']), SMALL_IMAGE_WIDTH, SMALL_IMAGE_HEIGHT, 'hspace="5" vspace="5"') . '<br>' . TEXT_CLICK_TO_ENLARGE . '</a>'; ?>');

 

to

document.write('<?php echo '<a href="java script:popupWindow(\\\'' . tep_href_link(FILENAME_POPUP_IMAGE, 'pID=' . $product_info['products_id']) . '\\\')">' . tep_image(DIR_WS_IMAGES . $product_info['products_image'], addslashes(addslashes($product_info['products_name'])), SMALL_IMAGE_WIDTH, SMALL_IMAGE_HEIGHT, 'hspace="5" vspace="5"') . '<br>' . TEXT_CLICK_TO_ENLARGE . '</a>'; ?>');

 

the javascript wasn't getting it's \ before the ' - and this fixes that (I didn't want to mess with the Stripslashes in tep_image, since it worked fine everywhere else).

 

Hopefully this helps someone - my shop is not quite live, but ready for constructive criticism: http://www.tonsofcoolshit.com

 

Kathy

Link to comment
Share on other sites

Hi People!

 

First of all: Thnx for that great contribution!

 

For those who are having a problem with showing the pictures, because you changed the DIR_WS_IMAGES path in configure.php:

 

I changed my path for example like that, because I have some shops with the same picture directory:

define('DIR_WS_IMAGES', '/images/');

 

Thats what I did, to get it work correctly:

I added the following line
if (substr($src,0,1) == '/') $src = '..'.$src;
under
function tep_image($src, $alt = '', $width = '', $height = '', $params = '') {
if (substr($src,0,1) == '/') $src = '..'.$src;

 

Maybe it's useful for someone.

 

Greetz

Link to comment
Share on other sites

nate,

 

Quick note, I finally got it to work.

After I've done some testing I will make notes and a readme and post it on the Phesis.Co.uk site (Cre Loaded 6). FYI Neither Mo Pics , Ultra Pics, noe the BTS (Basic template System) effects this mod.

 

On another note. Are you still trying to get

transparent PNG to work?

Link to comment
Share on other sites

Actually I do have them working.. got a little sidetracked, but I'm just trying to update the mod to minimize the potential for a DOS attack (as described above) and to detect if certain GD functions exists before calling them to make it more backwards-compatible with older versions of GD lib.

** Please do not PM with personal support requests (even if offering "payment"). Thank you.

Link to comment
Share on other sites

  • 2 weeks later...

Howdy all,

 

I just installed this contribution, but I seem to be getting several errors.

 

when I go to the site all I get are little red x's, if I do the click to enlarge then I can see my pictures.

 

I went to catalog/product_thumb.php and got a page of errors :

 

 

Notice: Undefined index: w in c:\easyphp1-7\www\catalog\product_thumb.php on line 35

 

Notice: Undefined index: h in c:\easyphp1-7\www\catalog\product_thumb.php on line 35

 

Notice: Use of undefined constant imagecreatetruecolor - assumed 'imagecreatetruecolor' in c:\easyphp1-7\www\catalog\product_thumb.php on line 48

 

Notice: Undefined index: w in c:\easyphp1-7\www\catalog\product_thumb.php on line 51

 

Notice: Undefined index: h in c:\easyphp1-7\www\catalog\product_thumb.php on line 51

 

Warning: imagecreate(): Invalid image dimensions in c:\easyphp1-7\www\catalog\product_thumb.php on line 51

 

Warning: imagecolorallocate(): supplied argument is not a valid Image resource in c:\easyphp1-7\www\catalog\product_thumb.php on line 53

 

Warning: imagefill(): supplied argument is not a valid Image resource in c:\easyphp1-7\www\catalog\product_thumb.php on line 55

 

Warning: imagecolortransparent(): supplied argument is not a valid Image resource in c:\easyphp1-7\www\catalog\product_thumb.php on line 56

 

Notice: Use of undefined constant imagecopyresampled - assumed 'imagecopyresampled' in c:\easyphp1-7\www\catalog\product_thumb.php on line 68

 

Notice: Undefined variable: src in c:\easyphp1-7\www\catalog\product_thumb.php on line 71

 

Notice: Undefined index: w in c:\easyphp1-7\www\catalog\product_thumb.php on line 71

 

Notice: Undefined index: h in c:\easyphp1-7\www\catalog\product_thumb.php on line 71

 

Warning: imagecopyresized(): supplied argument is not a valid Image resource in c:\easyphp1-7\www\catalog\product_thumb.php on line 71

 

Notice: Undefined variable: src in c:\easyphp1-7\www\catalog\product_thumb.php on line 84

 

Warning: imagedestroy(): supplied argument is not a valid Image resource in c:\easyphp1-7\www\catalog\product_thumb.php on line 84

 

Warning: imagedestroy(): supplied argument is not a valid Image resource in c:\easyphp1-7\www\catalog\product_thumb.php on line 85

 

 

 

I have turned off the truecolor, and the resampling, but still the same erros.

 

This is on my test system, using EasyPHP which has gd 2:

 

gd

GD Support enabled

GD Version bundled (2.0.15 compatible)

FreeType Support enabled

FreeType Linkage with freetype

GIF Read Support enabled

JPG Support enabled

PNG Support enabled

WBMP Support enabled

XBM Support enabled

 

 

I have installed the v1.5 dated : 16 Sep 2004

 

Does anyone have any ideas on what I can do to fix this?

 

Thanks,

Doug

Link to comment
Share on other sites

It would be helpful to see a link and an example... The most likely cause is that you are trying to thumbnail an unsupported file format (only PNG, GIF, and JPG are supported) or that your catalog config, with respect to the image directory is not set correctly.

 

It may also be you have your PHP's errors message turned all the way up on your machine, which is causing the problem... For each call to the thumbnailer, it is trying to output an "undefined variable" message before it makes the thumbnail which may be causing the images not to show up. (If you call the product_thumb.php by itself, naturally you will get some errors as it is expecting info to be passed along to it)

 

You could try adjusting your PHP's error message settings so they only output *fatal* error warning messages or alter the script to implicity define every variable at the beginning (I know a better, if somewhat outdated PHP coding practice).

** Please do not PM with personal support requests (even if offering "payment"). Thank you.

Link to comment
Share on other sites

Hi People!

 

First of all: Thnx for that great contribution!

 

For those who are having a problem with showing the pictures, because you changed the DIR_WS_IMAGES path in configure.php:

 

I changed my path for example like that, because I have some shops with the same picture directory:

define('DIR_WS_IMAGES', '/images/');

 

Thats what I did, to get it work correctly:

I added the following line
if (substr($src,0,1) == '/') $src = '..'.$src;
under
function tep_image($src, $alt = '', $width = '', $height = '', $params = '') {
if (substr($src,0,1) == '/') $src = '..'.$src;

 

Maybe it's useful for someone.

 

Greetz

 

 

Perfect Greetz! This was just what I needed to get this working on my other store- thanks to you for that snippet and thanks to Nate for a great contribution!

Link to comment
Share on other sites

I have tried everything I can to get this contrib to work on my store. and no matter what I do, my images just do not resize with the proper ratio. It would be greatly appreciated if someone were able to help me.

 

thanks.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...