Warning: getimagesize

There is a never committed patch here. It makes use of cURL instead of fopen. If it doesn't apply cleanly, do it manually (and reroll).

If it works we could do some sort of detection if fopen of curl is used and act on that.

Thanks for reporting.

It is good to know that patch would solve your issue. Thanks for testing it.

getimagesize is a PHP image function that seems to work only if "allow_url_fopen" is turned on (allow_url_fopen = On usually found in the php.ini file).

But what if you or your host company have turned it off over a security concern? Well storing the file locally, as suggested by the linked article, wouldn't be an option, as possibly we want to avoid copyright issues by using the remote file directly. That leaves only the use of cURL as an alternative for fopen (read getimagesize ).

By the way, it has to be said in this context that the use of getimagesize in itself is not insecure. Someone even suggests to use it to get reliable data (not spoofed) about an image file (maybe a better way). Furthermore fopen is not used directly as a function anywhere in the Flickr module's code. It can therefore not be used to inject malicious code. Anyway, we can be pretty sure that any files with the .jpg extension on the https://farm.staticflickr.com domain are in fact images (can we?). Web hosts that turn "allow_url_fopen" off, do it only as a precaution to avoid their clients inadvertently use software with insecure code (non-sanitized user-provided data used by several fopen related functions).

It's nice to see I can reuse some code that was not necessary for the issue the patch was posted on. What to do next?

• See what's the best way to detect if fopen is not available.
• See if cURL is available. In that case use the patch code as an alternative (cURL fallback).
• Use the known longest size of the image for the width. This might result in some unnecessary white space next to the image. This is why getimagesize was introduced in the first place. See #2163647: Unnecessary white space next to image.

It might be a good idea to give an option to choose between getimagesize (fopen dependent) and our cURL based custom script (the ranger function) on the Flickr module configuration page in case both are available.

I'll see what I can do over the weekend to re-roll the patch for the latest Git version and maybe add some fopen/curl detection script and settings.

Thanks again.

Attached patch:

• Falls back to cURL if 'allow_url_fopen' is disabled or in the Flickr settings we explicitly have selected to use cURL.
• Adds a setting as mentioned but only in case both 'allow_url_fopen' and 'curl' are enabled.
• Resets this setting in the unlikely event cURL is not available anymore.
• Uses the known longest side of the image for the width if both are not available. Leads to horizontal white space on portrait orientated images.

We are uncertain if cURL is faster than the native 'getimagesize' PHP function in the latest versions of PHP. Some sources mention this, e.g. http://roldanarts.com/2009/11/18/diego-roldan/blog/curl-vs-getimagesize-....

Mentioned in the issue description.

It is better to be more specific on the configuration page that the cURL option is visible based on detected server configuration. If not, someone managing the Flickr module on different servers might wonder why he has the option available on one server and not on the other. See attached screenshot.