What are those things?

Live forum: /viewtopic.php?t=19

Colleen

15-09-2004 22:52:21

What are those "things" under the username on people's posts (the little graphics)?

They're a little... phallic :P

Also, I can't seem to get my avatar to work - maybe someone can help? I'm just going to my profile, giving the location via URL, and clicking submit, but I don't see it in my profile or member info afterwards.

The image is being fetched from the server successfully though:
68.227.122.109 - - [15/Sep/2004:23:43:00 -0400] "GET /images/misc/evilpigicon80x80.jpg HTTP/1.1" 200 1898 "-" "-"

Thanks!

- Colleen

wolfjb

15-09-2004 23:31:39

I think they are supposed to be swords... think Dungeons and Dragons...

wolfie

16-09-2004 07:03:42

Colleen,

Yes, they are swords. If you don't like them feel free to create something else and send it in. I have not found any other ranks that I really like, but these are the closest to being bearable. :)

About the avatar, in an effort to keep things safe I have turned off the ability to link to an avatar that is offsite. If you would like to use your avatar just upload it and you will be fine.

Anonymous

16-09-2004 07:35:27

What are those "things" under the username on people's posts (the little graphics)?

They're a little... phallic :P


Colleen, you say that like it's a bad thing... ;-P



wolfie, what's wrong with ranks in word form? most of the phpbb forums I haunt do it that way.

Despite

16-09-2004 07:39:54

dang it, last post was me. what's with me not being auto logged in?

TheDanMan

16-09-2004 08:06:57

There is this little checkbox, log in every time I visit.

wolfie

16-09-2004 09:30:45

Well, the word ranks are there, but I tend to like the images, but hey it is not a monarchy let me know what you think and I can rip them out or use the ones everyone decides on :)

TheDanMan

16-09-2004 09:37:32

I like the swords, but umm, the ones ya got are lame. I'll make some new uns.

wolfie

16-09-2004 09:42:27

Yeah, they don't look the greatest, but that is all I could find, they are a bit hard to come by, rank icons that is.

Please contribute away, this is a community effort :)

TheDanMan

16-09-2004 10:10:02

I'm making penguins, 5 penguins and when you get to 6 they like glow or something :-P

wolfie

16-09-2004 11:37:53

I don't like things that distract from the content, so please nothing that glows or blinks :)

TheDanMan

16-09-2004 11:55:39

It'll have a glow effect, but don't worry, I won't overdo it.

Despite

16-09-2004 12:46:07

graphic rank representations, avatars, and big-ass sig pics allowed. distract from content? you be the judge.

Colleen

16-09-2004 13:31:07

OK, everyone ph33r my 1337 evilpig avatar :twisted:

About the avatar, in an effort to keep things safe I have turned off the ability to link to an avatar that is offsite. If you would like to use your avatar just upload it and you will be fine.

This is what it says in the profile page:

Upload Avatar from a URL:
Enter the URL of the location containing the Avatar image, it will be copied to this site.


That suggests that there is no linking involved, that the server goes out and fetches it from the URL initially, then stores it locally. The apache log I pasted above indicate that as well (that was the result of me doing the upload via URL).

I wouldn't think that doing that would be more of a security risk than allowing upload via HD, unless you just don't want your server making the outbound http requests...

As another security person I'm curious what your take on it is though :)

- Colleen

TheDanMan

16-09-2004 14:06:22

If despite had his way the <img> tag would be removed from the HTML language.

wolfie

16-09-2004 16:06:18

Despite,

While I am not a big fan of sig pictures, especially large ones like TheDanMan's (:)) as long as they don't blink I am okay with it, but if the consesus is to stop this I will make everyone have to submit through me for approval on certain items. Avatars I think are essential, again as long as they don't move or blink to help one achieve presence on the forums.

Colleen,

I can physically control what other people want to upload, ie deleting inappropriate material. This is a security posture I am trying to propagate with that decision. It was a compromise of security and hands-offishness for allowing users to upload.

Hope this answers some questions!

TheDanMan

16-09-2004 16:46:56

My sig went on a low carb diet. :-P

wolfie

16-09-2004 16:50:30

Thank you that is much more paletable!

THANK YOU! :D

Colleen

16-09-2004 19:32:13


Colleen,

I can physically control what other people want to upload, ie deleting inappropriate material. This is a security posture I am trying to propagate with that decision. It was a compromise of security and hands-offishness for allowing users to upload.

Hope this answers some questions!


One of us is misunderstanding the way this works, or I'm misunderstanding what you're saying, but I'm not sure which. :D I'm gonna attempt to clarify here...

This is what I think you're saying:
You want everyones' avatars to reside on the server so that you can delete inappropriate material if necessary. Perfectly reasonable, and a smart choice IMO.

This is how I think it works:
Case 1 - You're OK with this:
I use the "Upload Avatar from your machine" function to do just that - upload my image file from the computer I'm using to view the forum to the server. The server stores it somewhere, and serves it to forum viewers from that location, which you have access to and can delete if I chose to upload goatse.

Case 2 - You feel that this is a security risk:
I use the "Upload Avatar from a URL" function to supply a link to my image file out there somewhere on the intarweb. According to the description of the function, "Enter the URL of the location containing the Avatar image, it will be copied to this site." From my Apache logs, it looks like that's exactly what happens: I click submit and your server fetches the image file from the specified URL. Presumably it stores it in exactly the same location that it would have if I had done Case 1, and serves it to forum viewers exactly the same way.

This is how I think you think it works (hehe):
Your replies seem to indicate that you think that in Case 2, the image file would be fetched from the specified URL by whoever was viewing the thread, i.e. that the phpbb would dynamically generate code with something like <img src="http://www.colleenssite.com/colleens.avatar.jpg"> if that were the specified URL.

Interestingly, that's exactly how sig images seem to work on this forum. Check out the HTML for Dan's sig, which includes this: <img src="http://images.dansdungeon.net/minidownloads.jpg" border="0" />

If it does work that way, the fact that you have no control over the pics is just one of many problems. Others include:
- User uses an image from some unrelated person's site for avatar and posts to high-traffic forum. Poor unrelated person now has to serve the avatar to 5 zillion forum viewers each time a page containing one of the user's posts is read.
- User uses an image stored on their own server. User can now tell who's browsing the forums and at what time (assuming the user has posted in that thread) by looking at their webserver logs - basically the avatar acts as a web bug.
- User uses said webserver logs which contain forum members' IPs to DDoS members they don't like, perform "unsolicited penetration tests", etc.

These risks are of course also present any time you allow forum users to use the img tag in the content of their posts too, which is why a lot of forums don't allow that (or don't allow user-supplied HTML at all). I personally would feel most comfortable if sig images were treated the same way as avatars, i.e. served from the forum server. I've also seen cases in the past where forum sigs that accepted user-supplied HTML have been used in conjunction with browser exploits to compromise forum viewers' machines. That's the problem with user-specified HTML: you can filter for SQL injection, cross-site scripting, and everything else under the sun, but when you start allowing users to control the code on the page, you're taking the risk that they might do something like that. Sigs are especially nice because you get automatic duplication of the malicious code in every one of your posts. And then there's the whole goatse problem ;-D

From the description on the profile page, I think that instead Case 2 is generating code identical to the code generated in Case 1: something like <img src="images/avatars/7756873514149d8d095c5e.jpg">

You haven't said why you think it works that way. It may very well work that way: you're the one with access to the server and the phpbb masta :). All I have to go on is my apache logs and what it says on the Profile page. But if it does work the way I think you think it does, that looks like a bug to me, either in the code or the text string on the Profile page. If the image wasn't supposed to be served from the server, why does the server fetch it from the given URL, and why does the Profile page say that?

Obviously anyone who has the URL for an image can wget/right click/whatever to download it onto their hard drive and then upload it the Case 1 way. But I really think that Case 2 was just meant to save that step, and that the end result of how it gets served to forum viewers is exactly the same.

Although this post is quite long, it really isn't a big deal. I am just quite curious now how it really works, and inquiring minds want to know. You may not care at all, in which case telling me to "drop it" is of course perfectly understandable :D

BTW, the new forums are hot! Thanks for getting them set up.

- Colleen

P.S.: If this made no sense it's bc I'm running on 4 hours of sleep. Hell, maybe that's why I'm having this misunderstanding issue in the first place ;-D

wolfie

16-09-2004 20:25:57

I think we are on the same page, but maybe also I have assumed something wrong. Let me explain.

I am concerned about people using html to launch exploits against the site. I have turned off the ability to interpret html tags in the forum, I did not realize until you pointed it out that TheDanMan is using bbcode to link his sig to an external image. While I don't have any control on what bbcode options they can use, I can limit the html tags people can use.

I do have the option to disable signatures, which is nice incase people get out of hand with them :) Thankfully TheDanMan cut the size of the sig pic and is acceptable, IMHO.

I am somewhat concerned with people using the upload avatar option to try and exploit a weakness with the site (don't know of one off the top of head, but hey there are some creative bastards out there), but I am trying to make a functional decision and promote a diverse community.

Now on to the issue of picture uploads. Anyone, in the current config can post a picture or what not to the body of the post (and currently using bbcode to there sig as well). This can only be controlled by, I think, disabling bbcode and html or disabling bbcode and enabling html code and limiting the tags to nothing or a small subset. While the last item is probably the safest it does hamper the ability of the site somewhat, and I would really make it more functional in the beginning and if we get rooted, well, I can rebuild and lock it down to nothing.

Hopefully I have enough protected not to get royally hosed :wink:


On the note about avatars:

Avatars uploaded do get a unique id assigned to them and get placed in the root of the avatars directory. phpbb is nice enough to delete that file if it is no longer being used. sig images, using bbcode again, apparently can be used and that is really a bothersome affair, I will probably submit a request to the devs that this be a controllable item in the config. I sure would like the ability to disable images from being shown in the sig all together (I have seen some really big and obnoxious sigs before).

Hopefully I have clarified a few things on my position. :)

Despite

20-09-2004 09:50:58

I'd like to request that rather than get more phalli^W "swords" filled in as my postcount goes up, I'd like to instead have just one "sword", but make it get bigger with increasing postcount. is that possible?

Colleen

21-09-2004 17:57:58

I'd like to request that rather than get more phalli^W "swords" filled in as my postcount goes up, I'd like to instead have just one "sword", but make it get bigger with increasing postcount. is that possible?

Sure! You should be receiving email shortly with instructions on how to do that. Watch your inbox for "3nl4rg3 y0ur $w0rd n0w!!!". It'll probably come from a Chinese mailserver through your neighbor's Windows zombie, but don't you worry about that! Warning: spam filters may prevent this important information from reaching you.

Despite

23-09-2004 09:28:06

oh, I gave that outfit my credit card number a good while ago; I've yet to receive anything, and my sword isn't getting any bigger.