This issue is now fixed on getbblog.com and in the BBLog addon. It still exist a security hole in your browser but in BBLog or on getbblog.com you are safe.
Firefox Notes
: Here we must pre-cache the image file to make sure that it's safe. That means that in general all counter (user/pageviews) services not work properly.
Original Message:
Unfortunately i decided to temporarily remove inline image support from the BBLog addon and from the getbblog.com homepage for external images.
Reason is because i found out today that this could be a big security hole.
More information here:
Browser Auth Pishing Attack with embedded images
->
http://bfldev.com/auth-pishing
Inline Images in the addon are deactivated until this issue is fixed or fixable.
Inline Images on getbblog.com - Only allowed for getbblog.com attachments, not for external images.
This only affect Inline Images, not Inline Youtube Videos.
Spread the word about that.
Greetz Roland
zeharti
But for instance, it is possible to add exceptions or "white list" to this code....like trusted sources such as imgur,puu.sh etc....
1.making sure that url starts and ends with specific text
2.and then implementing a script which actually checks that the url is an "image file"
Post edited 1 x times, last by
BrainFooLong
Administrator
Topicstarter
BrainFooLong
Administrator
Sure, it's possible. But i don't actually integrate a white list.
A script that checks for correct images could only be done by server side and we don't have the capacity to do create such service.
I'll follow the discussion about that bug and if nothing happens from browser side, i'll consider other ways.
Post edited 4 x times, last by
zeharti
zeharti
any technical reason for white list thing...cause in my opinion that seems best fix until we find a solid solution..
i'm not pro in js right now but isn't this simple algorithm possible on client side..
1.URL found
2. if URL match(http://imgur.....OR
http://puu.sh
)
if type match==(jpg,png,gif)
create elements and embed
else
do not embed
3.else
break;
Again just an idea....could be improved..Happy to be a part of development
Topicstarter
BrainFooLong
Administrator
No technical reason, i just don't want to make a "white list" because this creates a "two class feature".
I just want to have a fully functional feature. Allowing just a bunch of hosters is not that what i want to do.
The check for a valid file extension also doesn't help because a correct looking image link could also be manipulated.
Anyway, thx for suggestions.
zeharti
mmhmmm.....Well I respect your personal policy...Hope this gets fixed soon.
:)
AS-HowlinWolf-PL
hope it's going to be back soon as well
a6addon
Please quickly fixed,
this being the reason why 60% of users take advantage of this tool and as the lead designer of two platoons. with endless hours working on the presentation with one blow away..
Fact who wants anything from the browser to system is vulnerable is always gaps but if you blow on it of course 5445990 people with a down during which to know profiles of users and platoon to link ruins...
makes understanding...
alternative are in demand or offers befor the ship goes down :(
zeharti
I advised BFL to let users enable the feature at their own risk..like those who are aware these things(Phishing and all)..
Rest is upon BFL...what he comes up with..
Post edited 2 x times, last by
BrainFooLong
Administrator
Topicstarter
BrainFooLong
Administrator
I understand all your opinions and all your suggestions.
I decided to re-enable Google Chrome and Opera right now., because they have no problems with the security issue.
For all chrome/opera users it should work within the next 24 hours.
You can force the update by opening this page
http://getbblog.com/plugins/bblog-hotfix.js
press CTRL + F5 and than use battlelog as always.
For all Firefox users, sorry, i cannot currently enable that feature because it's not fixed right now, but i'll think about another temporarily fix for you.
Topicstarter
BrainFooLong
Administrator
Well, good news for all of you.
Inline Images should now work, securely and for every browser.
Maybe it takes up to 24 hours to work for you.
You can force the update by opening this page
http://getbblog.com/plugins/bblog-hotfix.js
press CTRL + F5 and than use battlelog as always.
The technique behind is now that getbblog.com caches the image and than return it back to you if it is safe to use.
Hopefully our server can handle that.
However, the bug still exists in your browser but it's now safe inside of BBLog addon and on getbblog.com.
Greetz Roland
zeharti
Really appreciate it ...bud
Post edited 1 x times, last by
FlareFPS
FlareFPS
There are issues with certain characters in URLs from FlagCounter.
BBlog loads this URL http://getbblog.com/image-loader.php?
file=http%3A%2F%2Fs11.flagcounter.com%2Fcount%2FcEMj%2Fbg_F4F4F4%2Ftxt_000000%2Fborder_F4F4F4%2Fcolumns_3%2Fmaxflags_9%2Fviewers_Flares%2BVisitors%2Flabels_0%2Fpageviews_1%2Fflags_0.png
which causes the Image to be broken and not recognized by Flagcounter
pls fix
Thanks in advance
-Flare
Post edited 1 x times, last by
BrainFooLong
Administrator
Topicstarter
BrainFooLong
Administrator
Flagcounters and any other counter service not working properly with the current fix.
Reason is simply that BBLog does cache and pre-download the image to make sure it's safe.
So, the counter will never be counted up. For flagcounter it seems that they also have some other checks that make it impossible to work with our special fix.
It's not fixable until the browser developers fix the security hole. Than we can remove our temporarily cache.
I'll see if i can make an exception for chrome/opera to directly show the image because they are not affected by that issue.
FlareFPS
That would be great, most of the people I know use Chrome aswell...
a6addon
Thank you :))
for fixed and reaktivation, am satisfied when it comes in whenever a browser of the three,
has saved my day.