Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Not Solved [General] query strings on avatars
#21
Not Solved
(10-05-2015, 07:03 PM)andrewjs18 Wrote:
(10-05-2015, 06:47 PM)Euan T Wrote:
(10-05-2015, 06:42 PM)SentoWeb Wrote:
(10-05-2015, 06:40 PM)laie_techie Wrote: I thought it was safe for browsers to cache the results of a GET request (the query string is used to determine if two requests are equal).

The query string changes (TIME_NOW) so the browser will send a request.

No, it doesn't. The query string is the time the avatar was uploaded. It changes whenever you change your avatar. The problem Andrew is trying to solve is that some CDN/proxy systems won't proxy ANY content with query strings and Google Pagespeed shows false positives for resources with query strings.

that's the exact problem I'm running into.

Have you tried the fix I posted above?
[Image: axolis.png]

Project, Portfolio and Product management for freelancers.
Reply
#22
Not Solved
(10-05-2015, 07:04 PM)SentoWeb Wrote:
(10-05-2015, 07:03 PM)andrewjs18 Wrote:
(10-05-2015, 06:47 PM)Euan T Wrote:
(10-05-2015, 06:42 PM)SentoWeb Wrote:
(10-05-2015, 06:40 PM)laie_techie Wrote: I thought it was safe for browsers to cache the results of a GET request (the query string is used to determine if two requests are equal).

The query string changes (TIME_NOW) so the browser will send a request.

No, it doesn't. The query string is the time the avatar was uploaded. It changes whenever you change your avatar. The problem Andrew is trying to solve is that some CDN/proxy systems won't proxy ANY content with query strings and Google Pagespeed shows false positives for resources with query strings.

that's the exact problem I'm running into.

Have you tried the fix I posted above?

no, not yet.

is this a method the mybb team would recommend?
Reply
#23
Not Solved
(10-05-2015, 07:15 PM)andrewjs18 Wrote:
(10-05-2015, 07:04 PM)SentoWeb Wrote:
(10-05-2015, 07:03 PM)andrewjs18 Wrote:
(10-05-2015, 06:47 PM)Euan T Wrote:
(10-05-2015, 06:42 PM)SentoWeb Wrote: The query string changes (TIME_NOW) so the browser will send a request.

No, it doesn't. The query string is the time the avatar was uploaded. It changes whenever you change your avatar. The problem Andrew is trying to solve is that some CDN/proxy systems won't proxy ANY content with query strings and Google Pagespeed shows false positives for resources with query strings.

that's the exact problem I'm running into.

Have you tried the fix I posted above?

no, not yet.

is this a method the mybb team would recommend?

It is making use of overloading which was introduced to PHP long time ago, no magic - although very unusual. It isn't a simple function because those are not allowed in templates but this gets around the limitation. On the plus side you don't have to make changes to MyBB's core. The easiest way is to make changes to the core but you will have to make sure that those changes are carried over on every update.
[Image: axolis.png]

Project, Portfolio and Product management for freelancers.
Reply
#24
Not Solved
IIRC, $config (or will be null) will be blocked by the template editor as it can cause leakage of DB details. I haven't tested, so I could be wrong.
Reply
#25
Not Solved
(10-05-2015, 07:39 PM)Euan T Wrote: IIRC, $config (or will be null) will be blocked by the template editor as it can cause leakage of DB details. I haven't tested, so I could be wrong.

No, this works fine under MyBB 1.8.6. Everything else is blocked correctly. I think the database config can still leak with the mybb's security restriction, I had to improve that for Multihoster where this was a bigger issue.
[Image: axolis.png]

Project, Portfolio and Product management for freelancers.
Reply
#26
Not Solved
Hm. I'm sure it was meant to be, or perhaps it's only the DB section that's blocked.
Reply
#27
Not Solved
(10-05-2015, 07:52 PM)Euan T Wrote: Hm. I'm sure it was meant to be, or perhaps it's only the DB section that's blocked.

Yes it is supposed to trigger a security warning, it is but I think I found a way to exploit it in MyBB 1.6.

MyBB 1.8 has improved security when it comes to templates but I will play around with it to see if this still works. (I never bothered testing again just moved over my custom rules which prevented leaking of some other info - nothing stock MyBB related, otherwise I'd have filed a report)
[Image: axolis.png]

Project, Portfolio and Product management for freelancers.
Reply
#28
Not Solved
It's just the database password that can't be used in template. Wink
[Image: banner.png]
Reply
#29
Not Solved
Ah, that would make sense Stefan.
Reply
#30
Not Solved
@Euan T..have you tried that htaccess code?
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)