🌍
English
Announcement
- [2024-04-01] Piwigo in Hobbit runes
- [2024-03-01] Piwigo 14.3.0
- [2024-01-30] Piwigo 14.2.0
- [2023-12-29] Piwigo 14.1.0
- [2023-12-12] Piwigo 14
Notice: Undefined offset: 5 in /var/www/piwigo.org/forum/include/parser.php on line 551
#1 2013-08-14 17:46:36
- icy
- Translation Team
- Vietnam
- 2011-06-30
- 105
Icy-Picture-Modify bug found in versions 2.1.0 => 2.4.0 please upgrade
All versions from 2.1.0 to 2.4.0 have a security issue that may break your ACL settings, and that allows any user in Piwigo system to edit any images in the Piwigo system. This problem is fixed in the version 2.4.1.
Please upgrade to this version 2.4.1 or apply the patch file /patches/IPM-SA-2013-08-14.patch found in the source tree or at the following link
https://github.com/icy/icy_picture_modi … 8-14.patch
The details of the bug can be found in this commit message
[Github] icy_picture_modify commit 6a8f26e8
=================================================
You don't need to read the below message it's kept for reference
=================================================
Old announcement (Please ignore)
A bug found in my Plugin, thanks to Kalle, that leads to the case when any user in Piwigo system can edit any images of other users.
Please don't update to this version. If you've updated to this version 2.4.0, please rollback to previous version. The easiest way is to replace these two files on your installation
1. File plugins/icy_picture_modify/include/*.php should be replaced by
https://raw.github.com/icy/icy_picture_ … fy.inc.php
2. File plugins/icy_picture_modify/main.php should be replaced by
[Github] icy_picture_modify file patches/IPM-SA-2013-08-14.patch">https://github.com/icy/icy_picture_modi … 8-14.patch
The details of the bug can be found in this commit message
[Github] icy_picture_modify commit 6a8f26e8
=================================================
You don't need to read the below message it's kept for reference
=================================================
Old announcement (Please ignore)
A bug found in my Plugin, thanks to Kalle, that leads to the case when any user in Piwigo system can edit any images of other users.
Please don't update to this version. If you've updated to this version 2.4.0, please rollback to previous version. The easiest way is to replace these two files on your installation
1. File plugins/icy_picture_modify/include/*.php should be replaced by
https://raw.github.com/icy/icy_picture_ … fy.inc.php
2. File plugins/icy_picture_modify/main.php should be replaced by
Last edited by icy (2013-08-14 18:54:55)
Offline
#2 2013-08-14 17:52:15
- mistic100
- Former Piwigo Team
- Lyon (FR)
- 2008-09-27
- 3277
Re: Icy-Picture-Modify bug found in versions 2.1.0 => 2.4.0 please upgrade
you should delete the revision, many user don't visit the forum, nor read release notes before doing a automatic upgrade
delete the 2.4.0 now and release 2.4.1 latter
Offline
#3 2013-08-14 18:43:42
- icy
- Translation Team
- Vietnam
- 2011-06-30
- 105
Re: Icy-Picture-Modify bug found in versions 2.1.0 => 2.4.0 please upgrade
you should delete the revision, many user don't visit the forum, nor read release notes before doing a automatic upgrade
delete the 2.4.0 now and release 2.4.1 latter
Thank you for your help. I've released the new version 2.4.1. I am sure to follow your guide if my plugin has some serious bug next time. !
Offline
#4 2013-08-18 21:07:03
- chrisa
- Member
- 2013-06-08
- 11
Re: Icy-Picture-Modify bug found in versions 2.1.0 => 2.4.0 please upgrade
Hi Icy
I don't know if there is a place to request changes to plugins, so apologies if this is not in the correct thread.
I upgraded the icy plugin today (btw, thanks for your work on this!) and it overwrote a minor change I had to make to the code. I need the upload notifications that are sent to admin disabled.
Can you make this configurable? My suggestion would be to make the following change:
plugins/icy_picture_modify/add_photos.php
line 238:
if (!$conf['suppress_upload_notifications']) {
pwg_mail_notification_admins(
get_l10n_args('%d photos uploaded by %s', array(count($image_ids), $user['username'])),
$keyargs_content,
false
);
}
I can then define this conf value in the local config file to prevent notifications. If the conf value is not defined, there will be no change to the current logic.
Thanks
Chris
Offline
#5 2013-08-19 04:19:16
- icy
- Translation Team
- Vietnam
- 2011-06-30
- 105
Re: Icy-Picture-Modify bug found in versions 2.1.0 => 2.4.0 please upgrade
> I don't know if there is a place to request changes to plugins, so apologies if this is not in the correct thread.
The most convenient way is to create new topic onPiwigo forum. And the official way is to use ticket system on Github https://github.com/icy/icy_picture_modi … state=open (this may be a bit annoyed)
> I upgraded the icy plugin today (btw, thanks for your work on this!) and it overwrote a minor change I had to make to the code. I need the upload notifications that are sent to admin disabled.
Another guy is also requesting this feature. I am working on that. Stay tuned.
Offline