Closed Bug 449440 Opened 16 years ago Closed 16 years ago

Cannot remove uploaded images

Categories

(support.mozilla.org :: Knowledge Base Software, task)

Product:
support.mozilla.org
Component:
Knowledge Base Software
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: cilias, Assigned: lorchard)

References

(
URL
)

Details

(Whiteboard: tiki_test)

Attachments

(3 files)

patch (-p1) that sweeps for unused uploaded images that don't have gallery DB entries
2.09 KB, patch
laura
: review+
Details | Diff | Splinter Review
Screenshot, post-fix, step one--image uploaded
448.32 KB, image/png
Details
Screenshot, post-fix, step two--image removed
24.99 KB, image/png
Details 
Sometimes spammers use the image uploader. I can reject the edit, but the image is still available via direct URL. I've used the [Remove] button at <http://support.mozilla.com/tiki-admin.php?locale=en-US&page=gal>, but it did not remove <http://support.mozilla.com/img/wiki_up/P3140331.JPG>.
Looking at the user profile of the user who uploaded the last image in comment 2 <http://support.mozilla.com/tiki-adminusers.php?offset=0&numrows=10&sort_mode=login_asc&user=33927#2>, time of registration and last login are a couple of minutes apart. Looking at the action log, uploading that image is the only thing that user did.

Right now, it looks like the system is purposely being abused.
Severity: normal → major
Target Milestone: --- → 0.6.3
Group: websites-security
Can we please set things up so we only allow embedding of images when the referer is also on SUMO?  (When this is done please assign this bug back to webdev so we can build a UI for image deletion as well)
Assignee: nobody → server-ops
Severity: major → critical
Assignee: server-ops → oremj
+
+  RewriteCond %{HTTP_REFERER} !^$
+  RewriteCond %{HTTP_REFERER} !^https?://support.mozilla.com/.* [NC]
+  RewriteRule ^/.*/img/wiki_up/.* - [F]
+

This works for the most part.  The image will be available if it ends up in the NS cache.
Assignee: oremj → laura
The changes to rewrites move this down from critical (yay, thanks oremj). Still need UI for deletions though.
Severity: critical → normal
UI to be done in 0.6.4
Target Milestone: 0.6.3 → 0.6.4
Target Milestone: 0.6.4 → 0.7
Target Milestone: 0.7 → 0.8
Group: websites-security
Group: websites-security
Grabbing this one from Laura - looks like it might be a bit of a pain to fix, but I might have a lead on it.
Assignee: laura → lorchard
The original admin code seems to expect images to be tracked in an tiki_images table, but the code for uploading images over in tiki-editpage.php never touches that table.  Thus, the remove button did nothing for these images.

I think the attached patch should work to sweep up images that have been uploaded via tiki-editpage.php yet not included in the text of any pages.  I'm a *little* leary about it, since it does delete and I'm wondering if it should back up things anywhere.  Seems weird that the original code doesn't do this, so I'm wondering also if this is the right approach.
Attachment #351461 - Flags: review?(laura)
Another thought: To make this less sweeping and less dangerous to the site overall, I wonder if it would be useful to make this available as a per-page image removal admin action, using the page hash prefix introduced with bug 450548 to constrain deletion to a less than site-wide scope.  Of course, that will also limit it to images uploaded by the patch in bug 450548, but it's an idea
Attachment #351461 - Flags: review?(laura) → review+
in trunk as r20631 and in prod as r20632
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Hey Les: how do I test this on support-stage?
The patch deletes images that have been uploaded, but are no longer referenced in the source of any pages.  If you have admin access on support-stage (unlike me), the following should exercise the code:

* Edit a page, eg:

http://support-stage.mozilla.org/tiki-editpage.php?locale=en-US&page=*Installing+Firefox+on+Mac

* Select one or more images for upload under "Upload Images" in the editing form.  As you select those images, you should see the future URLs for those images appear as markup in the textarea with the page source.

* Hit "preview" to actually upload the images.  After the page reloads, you should see your uploaded images in the preview where the markup was inserted.

* Go into the textarea and cut the markup for the images you just uploaded.  You should paste this cut markup into a textedit window, because you'll need those image URLs in a second. 

* Hit "preview" again, and the images should no longer be visible in the page.

* Now, just to be sure, visit the URLs of the uploaded images that have been removed from the page markup.  They should not yet be 404s.

* Visit the admin page for image management:

http://support-stage.mozilla.org/tiki-admin.php?locale=en-US&page=gal

* Scroll down to the "Exterminator" section, hit the "Remove" button.

* Try visiting those image URLs again, and they should now come up as 404s.
Oh, and to be absolutely certain that nothing that shouldn't get deleted goes away, try uploading some images and leave them in the markup.  Hit the "remove" button in the admin page, and verify that the images still used in page markup are still accessible.
Verified FIXED using the immaculate STR helpfully provided by Les in comment 15; you are to be commended, sire.
Status: RESOLVED → VERIFIED
Whiteboard: tiki_triage
Whiteboard: tiki_triage → tiki_discuss
Not sure why tiki_discuss was added here.
Probably related to an other issue. Tiki now uses file galleries to store attachments by default, so this bug is obsolete. However, there might be some planification required for the migration.
Based on comment 22 -> tiki_test. Test this on tiki-trunk.m.c and potentially open a new bug.
Whiteboard: tiki_discuss → tiki_test
These bugs are all resolved, so I'm removing the security flag from them.
Group: websites-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: