dan-coulter/phpflickr

Code needs updates for revised Flickr API

Closed this issue · 6 comments

Flickr has made a couple of changes to its API that break the current code and example. The API now requires SSL. Modify phpFlickr.php by adding the following two lines after line 227:

curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);

The response has also changed and example.php does not work. Replace code in example.php with the following:

$apiKey = "yourKey";
require_once("phpFlickr.php");

$f = new phpFlickr($apiKey);

$response = $f->photos_getRecent();

//check that response is array
echo "response: " . gettype($response) . "
";

ListResponseElements($response);

function ListResponseElements($response, $indent = "") {
$indent .= "    ";
foreach ($response as $key => $value) {
if (is_array($value)) {
echo "$indent array: $key; Count: " . count($value) . "
";
ListResponseElements($value, $indent);
}
else {
//list non-array elements
echo "$indent key: $key; value: $value
";
}
}
}

When i use photosets_getList in this example, i get response: boolean. Is it possible that i need to change something in the script?

I wouldn't have got this working without this comment - thanks!
However it does produce a slight security hole as described here: https://learntech.imsu.ox.ac.uk/blog/?p=981
The short version is that you should supply a Certificate bundle to CURL instead of turning SSL verification off.

Phil –

Were you able successfully implement a curl certificate bundle? I downloaded the .pem file and included the curl option CURLOPT_CAINFO in my script as suggested in the article you referenced. I receive same message I received prior to disabling VerifyPeer and VerifyHost:

SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

According to this post CURLOPT_CAINFO essentially implements curl’s default behavior.
http://security.stackexchange.com/questions/60696/curl-cert-validation-with-curlopt-cainfo-not-working

My code after line 227 of phpFlickr.php is as follows:

            $CertBundlePath = realpath("includes/cacert.pem");
            curl_setopt($curl, CURLOPT_CAINFO, $CertBundlePath);
            //curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
            //curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
             $response = curl_exec($curl);
            if (curl_errno($curl)) {
                 echo 'Curl error: ' . curl_error($curl);
            }
             curl_close($curl);

Thanks,
Chris

From: Phil Banks [mailto:notifications@github.com]
Sent: Monday, June 01, 2015 5:26 AM
To: dan-coulter/phpflickr
Cc: Chris Sandvig
Subject: Re: [phpflickr] Code needs updates for revised Flickr API (#57)

I wouldn't have got this working without this comment - thanks!
However it does produce a slight security hole as described here: https://learntech.imsu.ox.ac.uk/blog/?p=981
The short version is that you should supply a Certificate bundle to CURL instead of turning SSL verification off.


Reply to this email directly or view it on GitHubhttps://github.com//issues/57#issuecomment-107421984.

Hi Chris,

I'm working on something else at the moment and haven't fully implimented this - but it si being used by a WordPress plugin I use called Flickr Justified Gallery, the cURL statement looks like:

$curl = curl_init($this->rest_endpoint);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, $data);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_CAINFO, dirname(__FILE__) . "/cacert.pem");
$response = curl_exec($curl);
if ($response === false) {
    die('CURL error: "' . curl_error($curl) . '"');
}
curl_close($curl);

It looks like you're impliementing it in the same way. My only query would be the realpath() function, I've not used it before, so I'd check by dumping the output - as in put a test.php in the same directory with just:

<?php
var_dump(realpath("includes/cacert.pem"));

and see is the path it outputs is correct. Sorry I can't be more help! I'll try and remember to come back and update this when I finish setting it up myself in case I find anything else.

Chris - just one more thing - you could always try explicitely specifiying that it should do the SSL verification with:

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);

All the best,
Phil

Dear csandvig, could you help me updating the original example.php from phpFlickr ?
Its not working yet:

foreach ($recent['photos'] as $photo) {

if(is_array($photo)) {
	$owner = $f->people_getInfo($photo['owner']);
	echo "<a href='https://www.flickr.com/photos/" . $photo['owner'] . "/" . $photo['id'] . "/'>";
	echo $photo['title'];
	echo "</a> Owner: ";
	echo "<a href='https://www.flickr.com/people/" . $photo['owner'] . "/'>";
	echo $owner['username'];
	echo "</a><br>";
}

}

thanks !