Parsing image uploads as PHP files? [#28576]

A user recently reported this problem with image module (latest from CVS. Drupal is a few weeks old, but also CVS).

Parse error: parse error, unexpected ‘@’ in /home/demolici/shizzle/images/temp/crazyscrabbledude_0.jpg on line 30

When I try to preview an image to post.

Is the image module (or Drupal) attempting to execute image uploads? I've always had problems with this module, but this is a new one. What is trying to parse the temporary image file?

Comment	File	Size	Author
#9	phptemplate_patch.txt	1.32 KB	robertDouglass
#2	image-cvs-phptemplate.patch	794 bytes	Robrecht Jacques

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

Robrecht Jacques CreditAttribution: Robrecht Jacques commented 10 August 2005 at 09:08

Priority:

Normal

» Critical

I can confirm this bug.

- clean install of drupal CVS-HEAD and image CVS-HEAD
- enable image module
- create content (image)
- preview
- I get a similar error
- submit (instead of preview) works without problems.

Surely we are not parsing the images as php are we??

All works well in drupal-4-6 and image 4-6.

File	Size
image-cvs-phptemplate.patch	794 bytes

The problem is in _phptemplate_default. This function includes a template file with include($file). The problem is that the $file it thinks it includes (a template file, eg themes/bluemarine/node.tpl.php) is not the $file it includes (our image!). The reason for this is that it does a extract($variables) first and there is a $variables['file'] in there! So his template-$file gets overwritten by our image-$file.

Moving this issue to "phptemplate" as I think the bug is there. Easy fix attached.

Alternatively, every module should make sure it hasn't got a $file variable lying around... I'm not completely sure how the image-$file gets there, but it is.

Comment #3

robertDouglass CreditAttribution: robertDouglass commented 10 August 2005 at 12:52

This type of bug should be sent to the devel list - it is a shortcoming of the project module that so little gets sent to that list.

Comment #4

moshe weitzman CreditAttribution: moshe weitzman commented 10 August 2005 at 14:20

I con confirm that this is a real bug. Good job finding the cause ... I'd love for a phptemplate expert to comment on the patch here.

Comment #5

moshe weitzman CreditAttribution: moshe weitzman commented 10 August 2005 at 14:24

image.module shoud technically call its form field image_file in order to avoid conflict with other form fields ... still, it would be nice to fix this at the phptemplate leevl if possible.

Comment #6

Robrecht Jacques CreditAttribution: Robrecht Jacques commented 10 August 2005 at 14:46

Right. I'll create a patch for image.module that renames $file to $image_file.
Still, it is a bug that needs fixing in phptemplate too, just to be on the safe(r) side.

Comment #7

adrian CreditAttribution: adrian commented 10 August 2005 at 15:45

I've tested this with phptemplate before , the variable shouldn't get clobbered.
http://ca3.php.net/manual/en/function.extract.php

Rename it to image_file, since file is not telling enough anyway, and i will make a patch to turn the parameter into :

extract($variables, EXTR_SKIP);

Comment #8

Robrecht Jacques CreditAttribution: Robrecht Jacques commented 14 August 2005 at 09:44

Assigned:

Robrecht Jacques

» Unassigned

The issue has been fixed in image.module (rev 1.161): the module doesn't use '$file' anymore (thx to walkah).

Still I think that phptemplate should fix it too. From the documentation it seems like extract($variables, EXTR_SKIP); would do the trick and is probably cleaner than the unset I did.
Did not test this patch and don't know if there are other side-effects.

(unassigning me from this issue)

Comment #9

robertDouglass CreditAttribution: robertDouglass commented 4 September 2005 at 13:38

File	Size
phptemplate_patch.txt	1.32 KB

Here's a path against HEAD (after the commit of the previous patch) that takes Adrian's suggestion of using EXTR_SKIP instead. This solves the problem in a more fundamental way.