IT

MG2 0.5.1 migration to PHP 8

Introduction

MG2 0.5.1 (former MiniGal) is a very simple image gallery written by Thomas Rybak (www.minigal.dk). It was released on 28 Feb 2005.

I have been using it since September 2011 probably with PHP version 5.1 back then, and all was fine until migration to PHP 7.4 (after many years being on PHP 5.X) however …

Status

… it doesn’t work on PHP 7.4 / PHP 8

I checked if there is a newer release available, but unfortunately www.minigal.dk domain went offline somewhere between July 9, 2018 and Aug 3, 2018.

Not only that, but traveling back in time using web.archive.org, it turns out that even in 2009 the software was not actively developed:

Download MG2 0.5.1

MG2 is not being actively developed at this time.

www.minigal.dk (Aug 18, 2009)

Faced with a choice what to do, I considered moving to a different image gallery script, but MG2 is really simple, it relies on a flat text file (as database) and is easy to use just upload a bunch of new images and then associate them to a new (or existing album). Not only that, but I have other scripts that now use the pictures/ folder and those scripts would also need migrating.

On the other hand, all modern galleries come with their own specific database, I would have to understand the existing database format to be able to reconstruct the albums into the new layout / database structure and then migrate. And who knows how long the new gallery will get supported ? New software also looks nice in demo mode where everything is carefully chosen to look perfect, but this illusion lasts until you actually have to use it. Then the issues start appearing: the layout breaks or is ugly with your specific set of images, navigation may not be so smooth, themes are heavyweight, etc.

It was obvious that irrespective of the path, I would still have to migrate MG2 to at least PHP 7.4 (at least to be able to understand its database format).

Setting up migration PHP 5 to PHP 7.4

Searching the internet on the best way to migrate from PHP 5 to PHP 7.4 reveals a tedious approach, you have to actually run the code in PHP 7.4 and fix every bug / warning that appears.

This holds true. Once I figured out how to fix an error/working, I looked for similar code and fixed that too – this is a very good way to get familiar with the code base and make sure I’m not forgetting some corner case code.

For migration I have used a fresh W10 instance running:

  1. Visual Studio Code 1.59 (July 2021)
  2. XAMPP 7.4.22 (PHP 7.4.22)

For finding bugs / security issues:

  1. Sonarqube Community Edition 9.0.1 (with PHP support)
  2. Zed Attach Proxy 2.10.0
  3. Wapiti 3.0.5

I tried to use PHP Mess Detector but it was not useful. Ran against MG2 it was mostly complaining about variables not in camel case, or constantly alerting that “else clauses are basically not necessary and you can simplify the code by not using them”. Interesting that else is considered an anti-pattern – are we going back to assembly language – jumps xor fall-troughs ?

While I understand the need to enforce a code style when working in a team, and definitively there is a place for PHPMD – I would like to preserve the legacy of MG2 and not modify variable names nor rewrite code to exclude else clauses.

Additionally, some CVEs were reported throughout the years, and they would have to be tackled too during this revival of MG2 gallery.

CVEs

MG2 (Minigal) 0.5.1 is known to have few bugs:

CVE-2005-3432 – MiniGal 2 (MG2) 0.5.1 allows remote attackers to list password protected images via a request to index.php with the list parameter set to * (wildcard) and the page parameter set to all.

CVE-2006-0493 – Cross-site scripting (XSS) vulnerability in MG2 (formerly known as Minigal) 0.5.1 allows remote attackers to inject arbitrary web script or HTML via the Name field in a comment associated with a picture.

CVE-2008-1228 – Cross-site scripting (XSS) vulnerability in admin.php in MG2 (formerly Minigal) allows remote attackers to inject arbitrary web script or HTML via the list parameter in an import action.

All these bugs are caused by not validating the input data.

Code archeology

After a closer analysis of the code – I was impressed, all the code uses IDs to fetch data and show pages, which means that the fix is easy. Before the code starts using the $_REQUEST array, all the IDs have to be validated to be integers, and if not, then replace them with value 1.

There was an admin import action that could be triggered without being admin – described by the CVE-2008-1228 above. I have moved this code after the security checks, instead of before them.

Allowing comments was too time consuming to fix as it had a very simplistic way of sanitizing the user input. And since these days all input should be protected against spam bots, it would have been too much to do for a feature that I don’t use. Better have it disabled.

Migrating from PHP 7.4 to PHP 8.0

The changes were mostly even stricter checks for variables (Undefined offset).

There were more bugs that revealed themselves (for example, incorrect format of the root folder entry, once a gallery is set up). This posed no problem in PHP4/5, as they were not complaining about missing indexes, etc, but issue had to be fixed for PHP7 / 8. Plus, many other smaller things.

Summary

The updated code resides here: https://bitbucket.org/viulian/mg2

Goal was to keep the original code as unchanged as possible, while fixing the known CVEs and making it run smoothly in PHP 8.0.

6 Comments

  1. Great to see your update work on MG2 🙂

    But the easiest way to get PHP 7 to 8 compatibility is to simply use the updated version of MG2 that exists under the name “kh_mod”:
    http://www.minigal.de

    By the way, the next update will be released there on 04 March 2023 for PHP 7.0 to 8.2

  2. Comment by post author

    Happy to see you resumed the work on the script!

    I remember encountering your website when trying to figure out how to keep my gallery running. Was impressed by the features that were added.

    Reviewing now your change-log, what kept me back was probably the fact that in 2021, kh_mod was still on PHP7 ? I don’t remember exactly if this was the reason, but the easiest for me was to just migrate the existing code to PHP8 without the overhead of other features to be migrated too.

    Since I don’t consider adding any features, not enabling the comments – you are right, the best choice for new-comers would be to use your version. Thank you for reaching out 🙂

  3. > probably the fact that in 2021, kh_mod was still on PHP7 ?
    That’s right.

    > Since I don’t consider adding any features, not enabling the comments
    The current version of kh_mod looks a bit big. But that’s only because I’ve included all the addons. In March, I will also release a minimal version, which will be much smaller. I’d highly recommend installing the current version, especially version 0.4.9. The code is much cleaner and changes or adaptations are easier to integrate 🙂

    There is also a really nice feature in this version for the presentation of images. The slideshow can also be displayed with Colorbox (lightbox effect). Appropriately large images will then be automatically scaled to the size of the browser window. You can see a demo there:
    http://www.tangata.de/kh_mod_049/

    BTW, data from MG2 can also be imported into kh_mod …

  4. Just for information: kh_mod 0.4.9 is finished and can be downloaded:
    http://www.tangata.de/kh_mod/index.php?aktion=3

    The new version supports PHP 7.0 to 8.2. The nicest feature for me is the presentation of the slideshow with Colorbox. So, appropriately large images will be automatically scaled to the size of the browser window.

    More information about the new version can be found here:
    http://www.tangata.de/kh_mod/index.php?aktion=1

  5. afig

    thank for update, as i install, it mentions as follow,

    property mg2db::$gd_version_number is deprecated in \viulian-mg2\includes\mg2_functions.php on line 522,

    my host environment is, Apache/2.4.57 (Win64) PHP/8.2.6 x64, windows 10,

    thanks!

  6. @afig: It looks like you are using an old version of kh_mod. In the current version 0.4.9 the property ‘gd_version_number’ doesn’t exist. So, I can only recommend that you update your installation to the current version 0.4.9 of kh_mod.

    BTW, please use the support request form on the kh_mod website, thanks:
    http://www.tangata.de/kh_mod/index.php?aktion=6

Leave a Reply