[theme-reviewers] Not using TimThumb.php in themes
David Law
wp-hackers at google-adsense-templates.co.uk
Fri Jan 13 19:07:11 UTC 2012
On Fri, 13 Jan 2012 13:59:54 +0000, you wrote:
>What's the appropriate way of inserting different sized images in a theme (e.g. thumb and full-size for a gallery template)?
>
>Can someone point me to a tutorial?
>
>I was using timthumb.php but it seems that's frowned upon.
>
>TIA.
Hi,
I assume you are refering to the security issue with the Timthumb
script when the security wasn't tight enough regarding domains that
could be used for generating thumbnail images from (flickr etc...).
http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/
Basically the script was supposed to generate thumbnails from domains
like flickr.com, but thumbnails could be generated from
flickr.anydomain.com which allowed hackers to insert scripts into the
Timthumbs cache folder and activate them (loads of sites were hacked).
That's been fixed in Timthumb 2.* so it's safe to use,
flickr.anydomain.com no longer works and if it did the resultant file
won't activate as a PHP script.
I use it in a premium theme and just in case it's not completely
secure I disabled the option to generate thumbnails from external
sources.
I use timthumb 2.8 and have the settings ALLOW_EXTERNAL and
ALLOW_ALL_EXTERNAL_SITES both set to false so there's no way an
external site can be used to upload a script. The way I use Timthumb
with my theme it doesn't really need the exernal option to generate
the images.
Have all WordPress themes that use Timthumb v1 been updated/removed
from the repository? I still see premium themes that use the out of
date version.
David
--
http://www.stallion-theme.com/ Stallion WordPress SEO Theme
http://www.stallion-theme.com/stallion-wordpress-seo-plugin Stallion
WordPress SEO Plugin
More information about the theme-reviewers
mailing list