Many themes for WordPress, particularly commercial and premium themes, make use of the handy timthumb.php utility for resizing images dynamically (on the fly). In recent weeks, major security flaws were discovered with the popular utility. These were promptly repaired, but it still didn't provide support for multi-site installations. So … we've added this capability to the latest 2.8 version.
Now, you have enhanced security … plus you can use our minor update as a direct replacement on single or multi-site installations. You can view the source code here.
Before we cover the updates, let me apologize for my recent lack of blog posts. Health issues have slowed me down a bit and made it more difficult to concentrate. But, this long-missing multi-site capability only requires 11 lines of additional code.
The Security Issues and Update
Because timthumb.php is commonly embedded in themes, it's not easy to discretely update like it would be if the code were a plug-in. This fact coupled with the severity of the flaw, means that this was one of the more serious issues with WordPress in a long while … because it wasn't in the core engine of files (or a plug-in).
However, the incident brought out the best in the WP community. The core team sprang into action searching through the free themes directory to inoculate any themes that contained the dangerous code. Community blogs quickly got the word out about the problem so people were aware of it.
Mark Maunder, who originally discovered and described the problem, created a fork of the code called WordThumb that rewrote TimThumb from the ground up … an amazingly quick and well-executed feat. However, forking is not usually ideal because it fragments the market for users. So … Mark soon connected with Ben Gillbanks, a long-time WordPress community member, and they joined forces to release TimThumb 2.0 … a collaboration that exemplified Open Source at its finest.
This process also illustrated the original vision Matt Mullenweg had behind VaultPress … reporting early and emailing customers with vulnerable code. The following morning, the core team began surgically correcting vulnerable code on over 700 affected websites. This fixing-problems-while-you-sleep delighted users and is exactly the kind of problem Matt hoped VaultPress would solve for people … and it underscores the value of the service.
You can visit the project home for TimThumb to get the very latest version … which is 2.8. However, as stated in our introduction, this version still only works with single site installations.
The file is usually in the root folder of a theme that uses it. However, some themes have it renamed to thumb.php.
Because the security risk with older versions is high, it's a good idea to search through all themes on your WP installation.
Also, most themes simply use TimThumb on the fly. However, a few themes retain a cache of the post thumbnails using TimThumb only when the blog post is saved or updated. If your theme makes use of post thumbnail images in this manner, you'll probably want to regenerate all of the thumbnails at once (after the TimThumb upgrade) using a plug-in like this one.
Implementing the Easy Multi-site Patches
You can view the source code here. And, you can download the ZIP file here:
timthumb.zip (size: 14.6 KiB | hits: 741)
This is a direct replacement. But, you might want to rename your theme's current file to timthumb_ORG.php before uploading to your server. It would also be a good idea to clear TimThumb's cache folder of all resized images since they'll be recreated (using the newer file naming syntax) as needed.
Below, you'll find the easy code to enable the multi-site capability. These php source revisions are detailed so that you can more readily update future releases of TimThumb, if you like.
Find the three commented lines (lines 1 thru 3 here) in the latest timthumb.php file (lines 127 thru 129 in version 2.8) … then INSERT the next two (lines 5 and 6 here) right after them. This allows an external (non-wordpress) utility like timthumb.php to have access to core WP data. In this case, we need to determine (later) if the multi-site feature is enabled and to be able to get the Blog ID for the current multi-site.
1 2 3 4 5 6
// ------------------------------------------------------------- // -------------- STOP EDITING CONFIGURATION HERE -------------- // ------------------------------------------------------------- // MULTISITE FIX by LukeAmerica 2011-08-22 (part 1 of 2) (2 at line #805) require( $_SERVER['DOCUMENT_ROOT'] . '/wp-load.php' );
Now, find the first two lines listed below (the class function declaration and variable assignment, lines 792 and 793 in timthumb.php v2.8). Then, just INSERT the subsequent 9 lines of code (lines 4 thru 12 here).
First, we determine if multi-site is enabled. If so, we get the current blog's ID. Finally, we append the document root (server path) with the multi-site location of the original image file (PNG, JPG, or GIF).
1 2 3 4 5 6 7 8 9 10 11 12
Again … these simple lines of code allow the very popular image resizing utility to work with both single-site and multi-site installations. However, WordPress 3.0 or greater is required.
N O T E S: