Com-Central.net

Doug_Kibbey · Posted: Sun Feb 05, 2012 10:26 pm Post subject: Re: Page themes fixed...

The chief building superintendent sez:

"I've come across some information on this. Since the update prior to this last one, the updated BBcode has changed and that new change will not allow spaces in the URL link. A request to revamp the code has been made..."

...roughly meaning: "We've asked, and are awaiting a response, about which we haven't a lot of say."

Smashy · ***Power User*** Offline Joined: Aug 05, 2010 Posts: 112

- Doug_Kibbey

The chief building superintendent sez:

"I've come across some information on this. Since the update prior to this last one, the updated BBcode has changed and that new change will not allow spaces in the URL link. A request to revamp the code has been made..."

...roughly meaning: "We've asked, and are awaiting a response, about which we haven't a lot of say."

This is very important as linux web servers allow users to create folder names & file names with spaces in them and there are a heck of a lot of linux web servers out there.

If I remember correctly the workaround is you must surround the filename with quotation marks?

Doug_Kibbey · Posted: Mon Feb 06, 2012 11:36 pm Post subject: Re: Page themes fixed...

- Smashy

- Doug_Kibbey

The chief building superintendent sez:

"I've come across some information on this. Since the update prior to this last one, the updated BBcode has changed and that new change will not allow spaces in the URL link. A request to revamp the code has been made..."

...roughly meaning: "We've asked, and are awaiting a response, about which we haven't a lot of say."

This is very important as linux web servers allow users to create folder names & file names with spaces in them and there are a heck of a lot of linux web servers out there.

If I remember correctly the workaround is you must surround the filename with quotation marks?

Here's the latest (and we can assume final) word on this subject:

"I'm still looking into this issue and this is what I've learned to date...

The BBcode code writers, (the code used on most forums and here at CC), has found a security issue with the older code which allowed spaces in the URL link. At the moment, the code writers are 'sticking to their guns' about not allowing spacing in URL's.

Some of the pic hosting sites on the web such as PhotoBucket allow using spaces in their URL's so it's going to be a bigger problem than some realize if those sites don't update their policies. It's too easy to include malicious code in broken (using spaces) URL's and that could include redirect scripts that would allow a hacker to point others to a different site than you had intended to use or inserting JAVA code to install hacker code into your personal computer.

A more 'techy' point of view:

One way to think about this problem is as well to check on server side that GET and POST request are not equivalent.

A POST request can alter data in server side, a GET request mustn't change anything. That's the HTTP protocol. An IMG tag is a GET request, always. And the browser can perform this GET request without any risk, so the problem is on server side, every action that can change alter data (database, session, etc) must check the request is a POST one. For example your /post url, should return asking for a POST confirmation. If this is wrong in your application, then you'll have problems not only with altered IMG tags, but maybe as well with 'html page speeders' that make preload of GET references, or even bots.

It's possible to 'force' (rewrite) the code, but I think we should error in the way of security as it's our duty to try to protect our users as much as possible."

Sorry for any inconvenience, but site and member safety come first, as it should be.
I'm no authority, but I have plenty of anecdotal experience that suggests that it's not good practice to include spaces in any filenames, etc....and it's also not wise to make them any longer than they have to be.