Add .PHP to the allowed image extensions list?

[Legacy Dash 438]

Hello.

Any chance we could add .php to the allowed image extensions list?

 

I understand if you are the owner of the website you can do serverside tricks and stuff like redirects and mod_rewrites and stuff - but it would be much easier to just add .php to the allowed extensions.

 

Also, then it would be easier to embed this image: http://ponycountdown.com/countdown.php

 

Edit: People seem to think that allowing the PHP extension could be a security risk or simply won't work. First off, allowing the PHP extension for images is safe as the PHP code is run on the server actually hosting the PHP script (eg, my website).

Edited June 6, 2019 by Legacy Dash

[skylights 127]

It wouldn't really be feasible because php is not an image format. That countdown is a php script running on the ponycountdown server, so unless the site has provided an api of some kind it couldn't easily be transferred from one site to the other.

[Legacy Dash 438]

On 11/20/2013 at 8:11 AM, skylights said:

It wouldn't really be feasible because php is not an image format. That countdown is a php script running on the ponycountdown server, so unless the site has provided an api of some kind it couldn't easily be transferred from one site to the other.

If you're gonna make an API - it usually has to be a PHP file.

Also, PHP files can be images, you just have to tell the browser that it is an image by sending content type headers.

However though, the MLP Forums doesn't look at content type headers, it looks at file extensions, but file extensions don't always tell you what the file type actually is.

 

Edit: Infact, my signature is a PHP file, it just has a redirect that has .png on the end of it. Open my signature in a new tab and you'll see.

Edited June 6, 2019 by Legacy Dash

[Guest]

<html>

<head>

<title> Do you? </title>

</head>

<body>

<?php

echo "Do you even know, what a .php file is?";

?>

</body>

</hmtl>

*/I hope to god i got that code right. Php is a language used to program websites, not save images. I highly doubt, that that will work. Your signature is a redirect to a .png file, therefore is the mlpforums server not showing the php file, but the image the php-code is redirecting it to./*

//EDIT: I am pretty confident, that via the "code" setting in the editing menu you can get it to show the ponycountdown thingy

Edited November 20, 2013 by Guest

[Legacy Dash 438]

On 11/21/2013 at 2:28 AM, TwistedShadow said:

<html>

<head>

<title> Do you? </title>

</head>

<body>

<?php

echo "Do you even know, what a .php file is?";

?>

</body>

</hmtl>

*/I hope to god i got that code right. Php is a language used to program websites, not save images. I highly doubt, that that will work. Your signature is a redirect to a .png file, therefore is the mlpforums server not showing the php file, but the image the php-code is redirecting it to./*

//EDIT: I am pretty confident, that via the "code" setting in the editing menu you can get it to show the ponycountdown thingy

<?php
header('Content-type: image/png');
$image = file_get_contents('http://i.imgur.com/H6ewafD.png');
echo $image;
?>

PHP can output anything - as long as you send the correct content-type headers.

 

If PHP can't output images, why does this work: http://mitchfizz05.net/mlpforums_assets/sig_swap/mitchfizz05/mitchfizz05.php

 

Edit: The content type header tells the browser that it is an image, and to treat it as one - instead of a HTML file (text/html).

Edited June 6, 2019 by Legacy Dash

[Sky Warden 2,243]

If you want a dynamic picture, get a gif and you will be fine.

 

I won't talk much. You don't seem to understand what you're talking about. Simply said, allowing custom PHP script can compromise the website's security. Injection and shits. One can put a malicious piece of code in a form of PHP file and the site will run it.

 

Those people who develop IPBoard know the reasons. That's why it's not available now.

 

If it's about allowed image extensions, I will ask for .webp. It's very light, you see. It's a worthwhile investment for development.

[Legacy Dash 438]

If you want a dynamic picture, get a gif and you will be fine.

 

I won't talk much. You don't seem to understand what you're talking about. Simply said, allowing custom PHP script can compromise the website's security. Injection and shits. One can put a malicious piece of code in a form of PHP file and the site will run it.

 

Those people who develop IPBoard know the reasons. That's why it's not available now.

 

If it's about allowed image extensions, I will ask for .webp. It's very light, you see. It's a worthwhile investment for development.

A GIF is animated - I don't want an animated signature.

 

Also, the MLP Forums won't run the PHP code - the remote server will, so no harm can be done to the MLP forums. If this could be done I could do what I am now and just create a redirect and make myself an admin or something, which certainly isn't possible.

[Guest]

If PHP can't output images, why does this work: http://mitchfizz05.n...mitchfizz05.php

 

 

Your signature is a redirect to a .png file, therefore is the mlpforums server not showing the php file, but the image the php-code is redirecting it to.

And it keeps the current state of it in cache. How do i explain this.... if you opened a tab with a link of your signature opened in it. You would see a certain sig. Then after a certain while ( or whatever you told your php code to do ) it will change on your server, but not on the tab you have open, because mlpforums is still "showing" the pic it has in cache. If you refresh the page it will refresh your sig. Same applies for that other thing you showed us.

Edited November 21, 2013 by Guest

[Legacy Dash 438]

And it keeps the current state of it in cache. How do i explain this.... if you opened a tab with a link of your signature opened in it. You would see a certain sig. Then after a certain while ( or whatever you told your php code to do ) it will change on your server, but not on the tab you have open, because mlpforums is still "showing" the pic it has in cache. If you refresh the page it will refresh your sig. Same applies for that other thing you showed us.

The whole idea of my dynamic signature is that it refreshes when you refresh the MLP Forums.

 

Besides, allowing the PHP extension doesn't only allow for dynamic images - it also can simply be used to get metrics on your images.

[Sky Warden 2,243]

Also, the MLP Forums won't run the PHP code

 

 

What the...

 

Please explain to me. I don't think I get what you're saying. You're putting a PHP script here, which makes a request to your remote server, which then responds to the request by sending an image which is randomly selected from a set of pre-defined images hosted on your server. Am I correct? If I am, then how is MLPForums supposed to make the request to your remote server if MLPForums doesn't run the script that makes the request?

 

Other than that, you can always makes a gif which contains that set of images, and set the frame rate so that the signature changes every 5 minutes or whatever. It's very light, and safe.

Edited November 22, 2013 by Sky Warden

[Legacy Dash 438]

 

What the...

 

Please explain to me. I don't think I get what you're saying. You're putting a PHP script here, which makes a request to your remote server, which then responds to the request by sending an image which is randomly selected from a set of pre-defined images hosted on your server. Am I correct? If I am, then how is MLPForums supposed to make the request to your remote server if MLPForums doesn't run the script that makes the request?

 

Other than that, you can always makes a gif which contains that set of images, and set the frame rate so that the signature changes every 5 minutes or whatever. It's very light, and safe.

I don't want to embed the PHP code.

If we allowed embedding PHP code into the MLP Forums - the forums would probably be the chaos capital of the internet.

 

When you add a remote image to a PHP script - it runs the PHP code on the remote server.

Besides, the clients browser is the one that will be fetching the image, the MLP Forums doesn't even touch the image.

 

Edit: Here is how it works...

1. The browser sends a request to the MLP Forums, and gets the page.
2. The browser sees in a post <img src="http://mywebsite.com/image.php">
3. The browser makes a request to that image.
4. The server mywebsite.com replies with a random image - which is achieved because it is a PHP file.
5. The browser displays the random received image.

As you can see, the MLP Forums doesn't touch http://mywebsite.com/image.php

Edited November 22, 2013 by mitchfizz05

[Sky Warden 2,243]

I don't want to embed the PHP code.

If we allowed embedding PHP code into the MLP Forums - the forums would probably be the chaos capital of the internet.

 

When you add a remote image to a PHP script - it runs the PHP code on the remote server.

Besides, the clients browser is the one that will be fetching the image, the MLP Forums doesn't even touch the image.

 

Edit: Here is how it works...

1. The browser sends a request to the MLP Forums, and gets the page.
2. The browser sees in a post <img src="http://mywebsite.com/image.php">
3. The browser makes a request to that image.
4. The server mywebsite.com replies with a random image - which is achieved because it is a PHP file.
5. The browser displays the random received image.

As you can see, the MLP Forums doesn't touch http://mywebsite.com/image.php

 

Oh. So that's what you're going to do.

 

That's still- well, let's make this simple and brief. Pushing all the... oddities and other technical reasons aside, why do you think they have to spend their time to implement this change? Perhaps you're the only one who will use it. It's not a worthwhile investment. There are still many things those staff (or mods, whatever) need to develop. The character minimum still doesn't work, and other stuff. Poniverse, Pony.fm, and MLPForums themselves still need a serious attention.

 

Not everyone here has their own server, or at least has the interest to do the same thing. People would choose a more feasible way if they want to accomplish the same goal. If they want a dynamic image on their post, they can simply get a gif. It's much easier, safer, and more efficient.

 

It's not the problem of it will work or not. Software development is much more than that. The question is, is it worth it?

[Legacy Dash 438]

Oh. So that's what you're going to do.

 

That's still- well, let's make this simple and brief. Pushing all the... oddities and other technical reasons aside, why do you think they have to spend their time to implement this change? Perhaps you're the only one who will use it. It's not a worthwhile investment. There are still many things those staff (or mods, whatever) need to develop. The character minimum still doesn't work, and other stuff. Poniverse, Pony.fm, and MLPForums themselves still need a serious attention.

 

Not everyone here has their own server, or at least has the interest to do the same thing. People would choose a more feasible way if they want to accomplish the same goal. If they want a dynamic image on their post, they can simply get a gif. It's much easier, safer, and more efficient.

 

It's not the problem of it will work or not. Software development is much more than that. The question is, is it worth it?

I know what the AdminCP of IP.Board is like, it is very, very simple to add a new extension to the allowed extensions list. No programming or coding required.

[Sky Warden 2,243]

 

 

I know what the AdminCP of IP.Board is like, it is very, very simple to add a new extension to the allowed extensions list. No programming or coding required.

 

It's not really a problem of making it working. The development isn't worth it, and development isn't only about making things work.

 

On your plan, your server returns a random image in response to browser's request. One could have set a script that returns millions of words instead of just a friendly image, and anyone who sees the post will swear to the lag and messy interface. Not to mention if they're malicious or not. Of course, the server isn't directly attacked, and you still can set filters for it. More code, time, effort, and filter still eats the performance. There are so many people who are smarter than you or me in hacking out there. They may bypass it easily.

 

I may be not a web master, but I do know a little bit about running a project and secure coding, and one thing I know is that the less power you give to your client, the better. If you give them power to use custom script, danger can come in a wide variety.

 

After all, the usefulness of this feature isn't worth it.

[Legacy Dash 438]

It's not really a problem of making it working. The development isn't worth it, and development isn't only about making things work.

 

On your plan, your server returns a random image in response to browser's request. One could have set a script that returns millions of words instead of just a friendly image, and anyone who sees the post will swear to the lag and messy interface. Not to mention if they're malicious or not. Of course, the server isn't directly attacked, and you still can set filters for it. More code, time, effort, and filter still eats the performance. There are so many people who are smarter than you or me in hacking out there. They may bypass it easily.

 

I may be not a web master, but I do know a little bit about running a project and secure coding, and one thing I know is that the less power you give to your client, the better. If you give them power to use custom script, danger can come in a wide variety.

 

After all, the usefulness of this feature isn't worth it.

The server won't display words as it is looking for an image, if you returned words from the server it would just show the no image thingy, as if it was an invalid link - besides even if that was the case, that is all possible already either using a .htaccess file, or a redirect.

Allowing us to embed images with the extension .php (which is really easy) would reduce the time needed to load the the image, because it doesn't need to pass through a redirect.

 

Any exploits that can be done by allowing us to use .php image extensions can already be done easily.

[Sky Warden 2,243]

The server won't display words as it is looking for an image, if you returned words from the server it would just show the no image thingy, as if it was an invalid link - besides even if that was the case, that is all possible already either using a .htaccess file, or a redirect.

 

It can return an image (or an invalid link), the closing tag, followed by malicious script after that. Or to make things look even more legit, another img tag with no closing, which will be closed by the original closing, though that's not necessary. That will ruin the HTML already.

 

Think about it. Those people who develop IPBoard are professional. If it's not available, there must be a set of reasons.

 

What's your point of proposing this, anyway? Just for a dynamic image, right? Just go get a gif. If you fancy yourself smart at technology, you will know that there are alternatives to accomplish your demand, like with gif. Just set the frame rate so that it changes every five minutes or whatever.

Edited November 22, 2013 by Sky Warden

[Legacy Dash 438]

It can return an image (or an invalid link), the closing tag, followed by malicious script after that. Or to make things even more legit, another img tag with no closing, which will be closed by the original closing, though that's not necessary. That will ruin the HTML already.

 

Think about it. Those people who develop IPBoard are professional. If it's not available, there must be a set of reasons.

 

What's your point of proposing this, anyway? Just for a dynamic image, right? Just go get a gif. If you fancy yourself smart at technology, you will know how to accomplish your demand with gif. Just set the frame rate so that it changes every five minutes or whatever.

The remote server isn't returning the HTML code - it is returning an image.

There is no way that you could do any sort of "HTML injection".

 

If that was possible you could get a blank text file - put some malicious code in it, then upload it to imgur or something like that an exploit the forums like that.

[Sky Warden 2,243]

The remote server isn't returning the HTML code - it is returning an image.

There is no way that you could do any sort of "HTML injection".

 

"What's your point of proposing this, anyway? Just for a dynamic image, right? Just go get a gif. If you fancy yourself smart at technology, you will know that there are alternatives to accomplish your demand, like with gif. Just set the frame rate so that it changes every five minutes or whatever."

 

- The Question You Keep Ignoring v.1. MLPForums: Sky Warden.

 

That's just your server (with your script) which is returning an image. How about other servers, owned by other users?

 

If that was possible you could get a blank text file - put some malicious code in it, then upload it to imgur or something like that an exploit the forums like that.

 

 

 

Oooh, you will be surprised, boy. A website can be hacked by using an image file (if the security is shitty enough). Files are very manipulable.

 

P.S. Imgur only accepts legit image extensions.

 

Seriously though, just stop already.

Edited November 22, 2013 by Sky Warden

[Legacy Dash 438]

"What's your point of proposing this, anyway? Just for a dynamic image, right? Just go get a gif. If you fancy yourself smart at technology, you will know that there are alternatives to accomplish your demand, like with gif. Just set the frame rate so that it changes every five minutes or whatever."

 

- The Question You Keep Ignoring v.1. MLPForums: Sky Warden.

 

That's just your server (with your script) which is returning an image. How about other servers, owned by other users?

 

 

 

 

 

Oooh, you will be surprised, boy. A website can be hacked by using an image file (if the security is shitty enough). Files are very manipulable.

 

P.S. Imgur only accepts legit image extensions.

 

Seriously though, just stop already.

No one simply allow such a security hole for someone that isn't a world famous hacker to be able to execute PHP code simply with an image.

 

The forums doesn't even touch the image - the MLP Forums only tells the client to get the image itself - unless the forum caches the image on it's own server - which it isn't, cause otherwise my signature would change itself.

Even if the forums did cache the image - it isn't going to try and execute the image - that would just be silly and would just cause an error.

 

The reason I don't want a GIF is because; GIF don't have many colors, it isn't as flexible, and you'd have to sit on one page waiting for the GIF to tick over to the next signature.

 

Also, as I said before, you could do this anyway through redirects or .htaccess files - allowing the .php extension for image files will just eliminate the need for those redirects, making the image load faster.

 

And Imgur is an example - you could upload it somewhere else.

[Lavo 780]

Well, this was a hilarious read.

 

@Sky Warden - If I allowed the .php extension it would not be vulnerable to anything that it wouldn't already be vulnerable to now.

 

@mitchfizz05 - I'm not going to add the .php extension as to be honest, there really is no use case for it other than for new developers that are unaware of how to display an image that won't get hit by forum file extension restrictions that all forums have.

[Sky Warden 2,243]

@Sky Warden - If I allowed the .php extension it would not be vulnerable to anything that it wouldn't already be vulnerable to now.

 

I have no idea how exactly IPBoard works, to be honest. I've never used the thing, since I've never been asked to make a forum. If its security is already strong, then it's good. I just see that there's no use of allowing .php extension than to satisfy one user who wants a fancy dynamic image on his post, and being a lazy paranoid that I am, I'd prefer to limit clients as limited as possible and discard any useless improvement.

 

GIF don't have many colors

 

And I think it's colourful enough for me.

 

Edited November 23, 2013 by Sky Warden