[geeklog-devtalk] geeklog-devel digest, Vol 1 #249 - 4 msgs

geeklog-devel-request at lists.geeklog.net geeklog-devel-request at lists.geeklog.net
Thu Jan 8 13:00:10 EST 2004

Previous message: [geeklog-devtalk] geeklog-devel digest, Vol 1 #248 - 1 msg
Next message: [geeklog-devtalk] geeklog-devel digest, Vol 1 #250 - 5 msgs
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Send geeklog-devel mailing list submissions to
geeklog-devel at lists.geeklog.net

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.geeklog.net/listinfo/geeklog-devel
or, via email, send a message with subject or body 'help' to
geeklog-devel-request at lists.geeklog.net

You can reach the person managing the list at
geeklog-devel-admin at lists.geeklog.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of geeklog-devel digest..."

Today's Topics:

1. Re: Testing of getimage.php (Dirk Haun)
2. Re: Testing of getimage.php (Vincent Furia)
3. Re: Testing of getimage.php (Tony Bibbs)
4. Feature Idea... (Tony Bibbs)

--__--__--

Message: 1
From: "Dirk Haun" <dirk at haun-online.de>
To: <geeklog-devel at lists.geeklog.net>
Subject: Re: [geeklog-devel] Testing of getimage.php
Date: Wed, 7 Jan 2004 19:52:33 +0100
Organization: Terra Software Systems
Reply-To: geeklog-devel at lists.geeklog.net

Tony,

>My only real issue with what I have done is security. I'm worried that

>it may be possible to hack the getstring in a way that may allow access

>to unrestricted files.

Since you're including lib-common.php in the very first line, which then
goes on to include config.php (all with hard-coded paths), it would
overwrite whatever path was passed in the URL. So that shouldn't be a problem.

The only issue would come up if someone doesn't have the
$_CONF['path_images'] defined in their config.php (e.g. because they were
using an old copy). But that would probably be noticed before any hacking
attempts ...

>and I am check for '..' in the image name for someone that

>may try using relative paths

That certainly can't hurt.

>If you get a chance, give it a try.

Haven't tried it yet, the above were just thoughts after looking at the
source.

bye, Dirk

--
http://www.haun-online.de/
http://www.macosx-faq.de/

--__--__--

Message: 2
Date: Wed, 07 Jan 2004 23:41:31 -0500
From: Vincent Furia <vmf at abtech.org>
To: geeklog-devel at lists.geeklog.net
Subject: Re: [geeklog-devel] Testing of getimage.php
Reply-To: geeklog-devel at lists.geeklog.net

Tony,

I'd recommend using the php function "basename()" on the $image
variable. That way there will be no way to sneek a path in... Also,
check to see if those $_CONF variables are empty. If not I could see
that causing some problems in the future. Also, for future reference,
rather than checking for ".." in a pathname you can use the "realpath()"
function to resolve "..", ".", and symbolic links to the actual path to
a file.

Hope this helps.

-Vinny

Dirk Haun wrote:

>Tony,

>

>

>

>>My only real issue with what I have done is security. I'm worried that

>>it may be possible to hack the getstring in a way that may allow access

>>to unrestricted files.

>>

>>

>

>Since you're including lib-common.php in the very first line, which then

>goes on to include config.php (all with hard-coded paths), it would

>overwrite whatever path was passed in the URL. So that shouldn't be a problem.

>

>The only issue would come up if someone doesn't have the

>$_CONF['path_images'] defined in their config.php (e.g. because they were

>using an old copy). But that would probably be noticed before any hacking

>attempts ...

>

>

>

>

>>and I am check for '..' in the image name for someone that

>>may try using relative paths

>>

>>

>

>That certainly can't hurt.

>

>

>

>

>>If you get a chance, give it a try.

>>

>>

>

>Haven't tried it yet, the above were just thoughts after looking at the

>source.

>

>bye, Dirk

>

>

>

>

--__--__--

Message: 3
Date: Thu, 08 Jan 2004 08:21:40 -0600
From: Tony Bibbs <tony at tonybibbs.com>
To: geeklog-devel at lists.geeklog.net
Subject: Re: [geeklog-devel] Testing of getimage.php
Reply-To: geeklog-devel at lists.geeklog.net

Good ideas, I'll put those in. Hey, I'm not sure where the module API
stuff for GL2 is but could you update me where we left off?

--Tony

Vincent Furia wrote:

> Tony,

>

> I'd recommend using the php function "basename()" on the $image

> variable. That way there will be no way to sneek a path in... Also,

> check to see if those $_CONF variables are empty. If not I could see

> that causing some problems in the future. Also, for future reference,

> rather than checking for ".." in a pathname you can use the "realpath()"

> function to resolve "..", ".", and symbolic links to the actual path to

> a file.

>

> Hope this helps.

>

> -Vinny

>

> Dirk Haun wrote:

>

>> Tony,

>>

>>

>>

>>> My only real issue with what I have done is security. I'm worried

>>> that it may be possible to hack the getstring in a way that may allow

>>> access to unrestricted files.

>>>

>>

>>

>> Since you're including lib-common.php in the very first line, which then

>> goes on to include config.php (all with hard-coded paths), it would

>> overwrite whatever path was passed in the URL. So that shouldn't be a

>> problem.

>>

>> The only issue would come up if someone doesn't have the

>> $_CONF['path_images'] defined in their config.php (e.g. because they were

>> using an old copy). But that would probably be noticed before any hacking

>> attempts ...

>>

>>

>>

>>

>>> and I am check for '..' in the image name for someone that may try

>>> using relative paths

>>>

>>

>>

>> That certainly can't hurt.

>>

>>

>>

>>

>>> If you get a chance, give it a try.

>>>

>>

>>

>> Haven't tried it yet, the above were just thoughts after looking at the

>> source.

>>

>> bye, Dirk

>>

>>

>>

>>

>

>

> _______________________________________________

> geeklog-devel mailing list

> geeklog-devel at lists.geeklog.net

> http://lists.geeklog.net/listinfo/geeklog-devel

--__--__--

Message: 4
Date: Thu, 08 Jan 2004 08:57:44 -0600
From: Tony Bibbs <tony at tonybibbs.com>
To: Geeklog <geeklog-devel at lists.geeklog.net>
Subject: [geeklog-devel] Feature Idea...
Reply-To: geeklog-devel at lists.geeklog.net

OK, Iowa Outdoors is reaching critical mass. It is to the point where it
consume a lot of my personal time outside of work, working on GL,
spending time with the family and, of course, hunting and fishing.

My biggest problem now is managing submissions. I get some submissions
multiple times and I also get emails asking my "why didn't my submission
show up" despite the hints submit.php gives and the entries in the FAQ.

What I am proposing is that users be able to see items they have
submitted while still in the queue. Complimenting this I'd like to see
a generic email sent out when submission are deleted and if you are in
an editor when you do the delete (as opposed to moderation.php) I'd like
to be able to select a delete reason from a pre-determined list or be
able to hand enter a custom reason.

I'll add this to the feature request on the project site but I wanted to
bring this up for discussion. Thoughts or ideas?

--Tony

--__--__--

_______________________________________________
geeklog-devel mailing list
geeklog-devel at lists.geeklog.net
http://lists.geeklog.net/listinfo/geeklog-devel

End of geeklog-devel Digest

Previous message: [geeklog-devtalk] geeklog-devel digest, Vol 1 #248 - 1 msg
Next message: [geeklog-devtalk] geeklog-devel digest, Vol 1 #250 - 5 msgs
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the geeklog-devtalk mailing list