2

On my server I use TimThumb as plugin for resize my images, it works great except when I try to use it inside the content of my emails.

Google Gmail output this https://example.com/thumb.php?sr+c= as src attribute (notice the plus sign).

I read here that it's because of the query.

So how can I use .htaccess to rewrite my url and remove /thumb.php?src= with a /src/?

This is how it looks a link to the image:

https://example.com/thumb.php?src=example.jpg

This is what I need

https://example.com/src/example.jpg

This is my current .htaccess

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^welcome/([^/]+)/?$ index.php?a=welcome&filter=$1 [NC,QSA,L]
RewriteRule ^explore/([^/]+)/?$         index.php?a=explore&filter=$1   [NC,QSA,L]
RewriteRule ^page/([^/]+)/?$            index.php?a=page&filter=$1      [NC,QSA,L]
RewriteRule ^(([^/]+)+)(/([^/]{0,32})(/.+)?)?$ index.php?a=$1&q=$3 [L,QSA]

index.php and thumb.php are both in the root folder

UPDATE

I tried to add this line to my .htaccess and visit https://example.com/src/example.jpg but again it's not working, in this case it redirects to the "welcome" page.

RewriteRule ^src/([^/]*)$ /thumb.php?src=$1 [L]

2nd UPDATE

I tried this too: 

RewriteRule ^src/([^/]+)/?$ thumb.php?src=$1 [NC,QSA,L]

Again it's not working https://example.com/src/example.jpg redirects to my "welcome" page.

This is how it looks now my .htaccess

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^welcome/([^/]+)/?$ index.php?a=welcome&filter=$1 [NC,QSA,L]
RewriteRule ^explore/([^/]+)/?$         index.php?a=explore&filter=$1   [NC,QSA,L]
RewriteRule ^page/([^/]+)/?$            index.php?a=page&filter=$1      [NC,QSA,L]
RewriteRule ^src/([^/]+)/?$ thumb.php?src=$1 [NC,QSA,L]
RewriteRule ^(([^/]+)+)(/([^/]{0,32})(/.+)?)?$ index.php?a=$1&q=$3 [L,QSA]

3rd UPDATE

Inside thumb.php this is how I build up the src query

$_GET['src'] = 'https://s3-eu-west-1.amazonaws.com/bucket1'.'/'.$_GET['src'];

I can't figured it out what's wrong here.

4th UPDATE

Based on Vladimir Cvetic answer I tried this:

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^src/(.*)$ /thumb.php?src=$1 [L,QSA]
RewriteRule ^welcome/([^/]+)/?$ index.php?a=welcome&filter=$1 [NC,QSA,L]
RewriteRule ^explore/([^/]+)/?$         index.php?a=explore&filter=$1   [NC,QSA,L]
RewriteRule ^page/([^/]+)/?$            index.php?a=page&filter=$1      [NC,QSA,L]
RewriteRule ^src/([^/]+)/?$ thumb.php?src=$1 [NC,QSA,L]
RewriteRule ^(([^/]+)+)(/([^/]{0,32})(/.+)?)?$ index.php?a=$1&q=$3 [L,QSA]

And again it's not working, this is the error: 

`The 't' parameter is not set.`

But it's strange since I set the 't' parameter condition empty as below:

if(!empty($_GET['t'])) {
    if($_GET['t'] == 'a') {
        $type = 'uploads/avatars';
        $width_list = array(25, 35, 50, 70, 100, 112, 150, 200, 300);
        $height_list = array(25, 35, 50, 70, 100, 112, 150, 200, 300);
    } elseif($_GET['t'] == 'b') {
        $type = 'uploads/backgrounds';
        ...
    } else {
        exit('Invalid parameter value');
    }
} else {
    $_GET['t'] == 'a';
        $type = 'uploads/avatars';
        $width_list = array(25, 35, 50, 70, 100, 112, 150, 200, 300);
        $height_list = array(25, 35, 50, 70, 100, 112, 150, 200, 300);
}

Indeed if I visit https://example.com/thumb.php?src=example.jpg I can see the avatar image correctly

Community
  • 1
  • 1
NineCattoRules
  • 2,253
  • 6
  • 39
  • 84
  • 1
    Not a direct answer, but: Stop using Timthumb. It's been the subject of [numerous security issues](https://blog.sucuri.net/2011/08/timthumb-php-security-vulnerability-just-the-tip-of-the-iceberg.html), and [has been unmaintained since 2014](https://www.binarymoon.co.uk/2014/09/timthumb-end-life/). Continuing to use it at this point is extremely risky. –  Sep 21 '16 at 00:43
  • Where did you place the new rule? If you just append it at the very end, then most likely the rules coming before it will have already rewritten the request to the index.php. Try and place it at least before the last existing rule. – CBroe Sep 21 '16 at 09:58
  • 1
    Changes to .htaccess don’t require a webserver restart, .htaccess files are read on every request. // Can you please edit the question to show the full modified ruleset you tried? – CBroe Sep 21 '16 at 10:43
  • 1
    Well that only becomes a problem, if the request gets rewritten to the index.php instead of thumb.php (which is likely the case here.) I'd enable rewrite logging to check what's going on; it might need an additional RewriteCond at the top to check if the internal rewritten request is pointing to the thumb.php already. – CBroe Sep 21 '16 at 16:16

1 Answers1

0

This should do the trick: RewriteRule ^src/(.*)$ /thumb.php?src=$1 [L,QSA]

TimThumb is unmaintained for years now as far as I know and has a security issue that will allow attackers to execute code on your server. Quick google search will reveal most of the TimThumb vulnerabilities.

I would suggest moving to a maintained package.

Vladimir Cvetic
  • 832
  • 3
  • 8
  • 23
  • Thanks for your answer, about possible attacks and vulnerabilities, I'm using an ssh connection via AWS EC2 and on server side I'm using fail2ban and other things. I tried your solution and I have updated my question, could you please take a look and tell me what's wrong now? – NineCattoRules Sep 26 '16 at 18:18
  • @SimonLeCat Can you send more detailed error? Are you sure that error is being produced on that line ? In addition I'm not sure why do you need ``$_GET['t']`` since it will produce the same result in both cases. – Vladimir Cvetic Sep 27 '16 at 07:18
  • I updated the question, as you can see in the 4th update the 't' parameter can be different from 'a'. I don't have any more detailed error than `The 't' parameter is not set.` . From Chrome console and `tail -f /var/log/apache2/error.log` from my linux server I can't see any error log. – NineCattoRules Sep 27 '16 at 09:31
  • I think it's safe to assume that error is not from this line since you would be getting a very different error for accessing missing array member. Find a line where that error is occurring. – Vladimir Cvetic Sep 27 '16 at 09:34
  • I searched for `parameter is not set` on `thumb.php` but there is no this string line. So I searched in the whole home folder but the same there is nothing like that. – NineCattoRules Sep 27 '16 at 09:57