php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #26546 issue with htaccess
Submitted: 2003-12-06 22:26 UTC Modified: 2003-12-08 09:38 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: rcoles at hotmail dot com Assigned:
Status: Not a bug Package: GetImageSize related
PHP Version: 4.3.3 OS: all
Private report: No CVE-ID: None
 [2003-12-06 22:26 UTC] rcoles at hotmail dot com
Description:
------------
It appears that certain settings in the htaccess file will produce unexpected results if an app is using getimagesize(). This issue may have a bearing on the zero height/width issues reported elsewhere.

The app I've been working on is a random picture gallery. The PHP code using getimagesize() looks like this:

$maxwidth =180; //modify this figure to suit
$imagehw = getimagesize($image[$r]);
$imagewidth = $imagehw[0];
$imageheight = $imagehw[1];
if ($imagewidth>$maxwidth) {
   $imageprop = ($maxwidth*100)/$imagewidth;
   $imagevsize = ($imageheight*$imageprop)/100;
   $imagewidth = $maxwidth; 
   $imageheight = ceil($imagevsize);
}

[$r] is an image in an array. The rest of the code auto-resizes the image and maintains a constant aspect ratio.

Looking over my web access logs in get this:

web host IP address - - [06/Dec/2003:02:14:52 -0600] "GET /images_dir/some_sub_dir/IMG_2581.jpg HTTP/1.0" 403 - "-" "-"
ISP's IP address - - [06/Dec/2003:02:14:53 -0600] "GET /images_dir/some_sub_dir/IMG_2581.jpg HTTP/1.0" 304 - "http://www.xxx.com/some_dir/s0me_page.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Q312461)"

Note the "403 - access denied" in the first line.

In my htaccess file I have the following:

# Forbid if blank (or "-") Referer *and* UA
RewriteCond %{HTTP_REFERER} ^-?$
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteRule .* - [F]

These lines forbid/ban blank referrers and UA's. 

As far as I can understand and thus, now assume, while using getimagesize, the web host's server does a "GET" to get the image before passing it to the code and then serving it to the browser. While doing the "GET" - and because it's an "internal process" - there would be no need for a UA. The htaccess file picks this up and issues a 403. The image reference is then passed to the browser but no image appears. Well, its does but appears as a pixel dot. No error warnings or notices are produced with this error.

I have tried adding the following line to the htaccess file to try and by-pass this issue:

RewriteCond %{REMOTE_ADDRESS} !^xxx\.xxx\.xxx\.xxx$

xxx being the host IP address. Have had NO success with this so far.

Expected result:
----------------
With these lines removed from my htaccess file:

# Forbid if blank (or "-") Referer *and* UA
RewriteCond %{HTTP_REFERER} ^-?$
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteRule .* - [F]

this is what I get in my web access logs:

web host IP address - - [05/Dec/2003:22:11:10 -0600] "GET /images/some sub_dir/IMG_2295.jpg HTTP/1.0" 200 49254 "-" "-"
ISP's IP address - - [05/Dec/2003:22:11:11 -0600] "GET /images/some sub_dir/IMG_2295.jpg HTTP/1.0" 304 - "http://www.xxx.com/some_dir/some_page.php" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Q312461)"

Note the "200" passed on each line. In other words, the app works as designed

Actual result:
--------------
With the above htaccess RewriteCond in place, this is what I get at the browser end:

<img src="http://www.xxx.com/images_dir/some_sub_dir/IMG_3235.jpg" width="" height="" alt="This is a Random Image" />

Note the empty width and height parameters.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-12-06 22:38 UTC] rcoles at hotmail dot com
BTW this issue is not specific to the particular PHP version as mentioned in the report. It first cam to my attention while the web hosting was using 4.2.3 and thought the issue was related to an earlier getimagesize() issue. My test rig is running 4.3.3 and the web host has just upgrade to 4.3.4. The results are the same.
 [2003-12-07 12:08 UTC] sniper@php.net
Always check that getimagesize() actually succeeded..
(I assume it fails now due the fact that you do a remote request from the same server to the same server)

And as RewriteCond %{REMOTE_ADDRESS} !^xxx\.xxx\.xxx\.xxx$,
makes it work, there is no bug here.

Hint: Try putting 'error_reporting(E_ALL);' or set it in your php.ini and you'll see the actual error message..

 [2003-12-07 21:32 UTC] rcoles at hotmail dot com
In response to my bug report I get this reply:
<--begins-->
Always check that getimagesize() actually succeeded..
(I assume it fails now due the fact that you do a remote request from
the same server to the same server)

And as RewriteCond %{REMOTE_ADDRESS} !^xxx\.xxx\.xxx\.xxx$,
makes it work, there is no bug here.

Hint: Try putting 'error_reporting(E_ALL);' or set it in your php.ini
and you'll see the actual error message..
<--ends-->

Perhaps I should apologies now for the fact that I couldn't cram my report into a 2 line "sound bite". The original report appears to have "taxed" the attention span of some.

Please read and read again - inserting the "RewriteCond %{REMOTE_ADDRESS} !^xxx\.xxx\.xxx\.xxx$" DOES NOT make this application work. Repeat - DOES NOT.

In order to get this application using getimagesize() to work I have to remove the RewriteCond blocking blank referrers and UA's.

As for the part about "same server to the same server". I guess its all in the code. Its also in the report. 

I wrote the app as part of copy and paste operation. As for the workflow and the way it works, it wasn't really a concern until now. All I now know, is that if I put in the RewriteCond affecting blank referrers/UA's the app doesn't work. Take it out and it works. How and why isn't my problem, that's for the powers that be at PHP. Sorry I can't be more helpful.
 [2003-12-08 06:40 UTC] sniper@php.net
We are not mind readers. Unfortunately. So unless you can come up with self-contained example script, we have to ASSUME..

 [2003-12-08 09:38 UTC] rcoles at hotmail dot com
... "we to have ASSUME..." what, pray tell?

As for the to a "self-contained example script" part, what are you looking for?

If its any consulation, download the zipped app from - http://www.e107coders.org/download.php?view.364 

And then:
1. unzip the app. It should set up its own directory as in rpg_menu.
2. set up a sub-directory for your images and load up some images - preferably jpegs. They can be of any dimension.
3. check out the readme.txt.
4. go into the single php file and configure the app as per the commented instructions.
5. strip out any user specific references where required - this being a plugin for CMS app. If you can't figure this part out - drop me a note.
6. run the app.

It should work as designed - that is, resizing the image to a given dimension - typically the width - while maintaining the same aspect ratio. A new image should appear on each page refresh.

Now, for the second part:

Set up an htaccess file with the RewriteConds used to block blank referrers/UA's as per my initial post. Run the htaccess with and without that RewriteCond and see what happens. 

This is NOT rocket science nor does it require any sort of "mind reading". As far as I'm concerned, it is as stated in my first post. Short of providing the raisins and wiping up after this mess, not sure what else I can do to make this item any clearer or make it more obvious...
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Apr 22 02:01:25 2019 UTC