From: rcoles at hotmail dot com
Operating system: all
PHP version: 4.3.3
PHP Bug Type: GetImageSize related
Bug description: issue with htaccess
Description:
------------
It appears that certain settings in the htaccess file will produce
unexpected results if an app is using getimagesize(). This issue may have
a bearing on the zero height/width issues reported elsewhere.
The app I've been working on is a random picture gallery. The PHP code
using getimagesize() looks like this:
$maxwidth =180; //modify this figure to suit
$imagehw = getimagesize($image[$r]);
$imagewidth = $imagehw[0];
$imageheight = $imagehw[1];
if ($imagewidth>$maxwidth) {
$imageprop = ($maxwidth*100)/$imagewidth;
$imagevsize = ($imageheight*$imageprop)/100;
$imagewidth = $maxwidth;
$imageheight = ceil($imagevsize);
}
[$r] is an image in an array. The rest of the code auto-resizes the image
and maintains a constant aspect ratio.
Looking over my web access logs in get this:
web host IP address - - [06/Dec/2003:02:14:52 -0600] "GET
/images_dir/some_sub_dir/IMG_2581.jpg HTTP/1.0" 403 - "-" "-"
ISP's IP address - - [06/Dec/2003:02:14:53 -0600] "GET
/images_dir/some_sub_dir/IMG_2581.jpg HTTP/1.0" 304 -
"http://www.xxx.com/some_dir/s0me_page.php"; "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.0; Q312461)"
Note the "403 - access denied" in the first line.
In my htaccess file I have the following:
# Forbid if blank (or "-") Referer *and* UA
RewriteCond %{HTTP_REFERER} ^-?$
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteRule .* - [F]
These lines forbid/ban blank referrers and UA's.
As far as I can understand and thus, now assume, while using getimagesize,
the web host's server does a "GET" to get the image before passing it to
the code and then serving it to the browser. While doing the "GET" - and
because it's an "internal process" - there would be no need for a UA. The
htaccess file picks this up and issues a 403. The image reference is then
passed to the browser but no image appears. Well, its does but appears as
a pixel dot. No error warnings or notices are produced with this error.
I have tried adding the following line to the htaccess file to try and
by-pass this issue:
RewriteCond %{REMOTE_ADDRESS} !^xxx\.xxx\.xxx\.xxx$
xxx being the host IP address. Have had NO success with this so far.
Expected result:
----------------
With these lines removed from my htaccess file:
# Forbid if blank (or "-") Referer *and* UA
RewriteCond %{HTTP_REFERER} ^-?$
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteRule .* - [F]
this is what I get in my web access logs:
web host IP address - - [05/Dec/2003:22:11:10 -0600] "GET /images/some
sub_dir/IMG_2295.jpg HTTP/1.0" 200 49254 "-" "-"
ISP's IP address - - [05/Dec/2003:22:11:11 -0600] "GET /images/some
sub_dir/IMG_2295.jpg HTTP/1.0" 304 -
"http://www.xxx.com/some_dir/some_page.php"; "Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.0; Q312461)"
Note the "200" passed on each line. In other words, the app works as
designed
Actual result:
--------------
With the above htaccess RewriteCond in place, this is what I get at the
browser end:
<img src="http://www.xxx.com/images_dir/some_sub_dir/IMG_3235.jpg";
width="" height="" alt="This is a Random Image" />
Note the empty width and height parameters.
--
Edit bug report at http://bugs.php.net/?id=26546&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=26546&r=trysnapshot4
Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=26546&r=trysnapshot5
Fixed in CVS: http://bugs.php.net/fix.php?id=26546&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=26546&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=26546&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=26546&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=26546&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=26546&r=support
Expected behavior: http://bugs.php.net/fix.php?id=26546&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=26546&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=26546&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=26546&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=26546&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=26546&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=26546&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=26546&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=26546&r=float
![http://www.xxx.com/images_dir/some_sub_dir/IMG_3235.jpg"](http://www.xxx.com/images_dir/some_sub_dir/IMG_3235.jpg"){kind=link}