Embed images into your Wordpress Plugin

Martin on March 25th, 2008

On the Wordpress forum there was some commotion regarding the GoogleSiteMap Generator Plugins use of base64 encoded content. This set off some stealth virus alerts - as a typical trick is to hide malicious code in these unreadable strings. 

#region Embedded resources

if(isset($_GET["res"]) && !empty($_GET["res"])) {

$resources = array(
//PayPal
"{8C0BAD8C-77FA-4842-956E-CDEF7635F2C7}"
=>"R0lGODlhEAAQAMQQANbe5sjT3gAzZpGmvOTp7v///629zYSctK28zb"
.vI1ZKnvfH094SbtHaQrHaRrJ+xxf///wAAAAAAAAAAAAAAAAAAAAAAA"
. "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAHoAxAALAAAAAA" .
. "QABAAQAVZICSOZDkGQqGuBTqUSMqqiTACwqIKgGkKwCDwVRIodkDVwjYSMFS"
. "NoCNQIgSugZ6vBMBetSYCj0UwCA6lgyy4YoqWASRAZSYNZNaA+VxM7B5bEA9C"
. boGGIyEAOw==" ); }

No virus here - Arne Brachhold, the plug-ins author, uses the base64 function to serve up images directly from the plug-ins source code. This is a neat little trick that I will gladly copy into future projects.

Why not just include a separate GIF/JPG file ? You can of course, however there is no standard way of determining your plug-ins home directory or url. So instead of creating a custom solution that works most of the time this is a nice trick that works all of the time.

The second trick is about how to serve the image on request and neatly catching a web browser just checking if its cache is still up-to-date. 

if(array_key_exists($_GET["res"],$resources))
{

  $key = $_GET["res"];
  $content = base64_decode($resources[$key]);
  $lastMod = filemtime(__FILE__);
  $client = (isset($_SERVER['HTTP_IF_MODIFIED_SINCE'])?
                $_SERVER['HTTP_IF_MODIFIED_SINCE']:false);

  // Checking if the client is validating his cache and if it is current.
  if (isset($client) && (strtotime($client) == $lastMod))
  {
    // Client's cache IS current, so we just respond '304 Not Modified'.
    header('Last-Modified: '.gmdate('D, d M Y H:i:s', $lastMod).' GMT', true, 304);
    exit;
  } else {
  // Image not cached or cache outdated, we respond '200 OK' and output the image.
  header('Last-Modified: '.gmdate('D, d M Y H:i:s', $lastMod).' GMT', true, 200);
  header('Content-Length: '.strlen($content));
  header('Content-Type: image/gif');
  echo $content;
  exit;
  }
}

The above code is outside of any function directly in the plug-in source so it is executed as Wordpress loads each plug-in into memory and before it starts calling any of the filter & action hooks. 

http://blogmechanics.net/?res={8C0BAD8C-77FA-4842-956E-CDEF7635F2C7}

It inspects if the “res” parameter is passed to your blog in the url. If so it loads the images and finds the one that matches and serves it up and exits immediately.

The only drawback of catching a URL this early is that the images are always available. Also outside of the administration panel. Just click the link above, it works and will display the Paypal logo.

Hacking Wordpress Add to del.icio.us  Digg This Subscribe to RSS feed

Leave a Reply

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>