[Xerte-dev] Re: Fixes last night (XOT)
Julian Tenney
Julian.Tenney at nottingham.ac.uk
Tue Mar 6 09:54:42 GMT 2012
It's used to get RSS feeds in. we don't know what they might be.
-----Original Message-----
From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat Lockley
Sent: 06 March 2012 09:54
To: For Xerte technical developers
Subject: [Xerte-dev] Re: Fixes last night (XOT)
Rss proxy is used be the googlemaps page and the wikipedia page?
So it's a basic URL?
yes if someone makes a new page it's a problem
Alternatively, rewrite the flash to post variables at rss_proxy
instead, and pass a per site token that identifies the content.
How you deal with exported pages I don't know.
On Tue, Mar 6, 2012 at 8:10 AM, Ron Mitchell <ronm at mitchellmedia.co.uk> wrote:
> I added this to the issue page but thought I'd post here too....
>
> Not sure it's practical to have a whitelist - too many potential urls that
> users might add to the relevant XOT page and unrealistic for someone with
> access to the code or management.php to keep adding new allowed url's upon
> request. Isn't there a way to restrict rss_proxy.php so that it can't be
> accessed via browser and can only be called from relevant XOT code?
>
> Sorry I might be mis-understanding the risk but in a big college or
> University I can't see it being practical to have and manage a whitelist.
>
> HTH
> Ron
>
> -----Original Message-----
> From: xerte-dev-bounces at lists.nottingham.ac.uk
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of David Goodwin
> Sent: 06 March 2012 07:38
> To: For Xerte technical developers
> Subject: [Xerte-dev] Fixes last night (XOT)
>
> Hi
>
> I made some fixes to XOT trunk last night - so you can at least install and
> login as a new user. (I did a full install and used demo.php to login).
> Again this breakage was due to merging by the looks of it.
>
> The installer will now remove any existing xerte db tables if they exist
> before trying to create then.
>
> The installer now tries to strongly suggest to people that they delete the
> setup folder. Can we change the installer so it aborts if someone has an
> existing database.php file or something so making deletion unnecessary?
> (obviously I can code it to - but is this an ok thing to do ?)
>
>
> I've also created an issue on the google issue tracker covering a security
> problem in proxy_rss.php. Does XOT store a list of all remote urls someone
> may want to request anywhere so we can have a whitelist of good urls - at
> the moment someone can use proxy_rss.php to fetch any remote URL.
>
> Thanks
> David
>
> David Goodwin
> Pale Purple Ltd.
> http://www.palepurple.co.uk
> 0845 0046746
> 07792 380669
> _______________________________________________
> Xerte-dev mailing list
> Xerte-dev at lists.nottingham.ac.uk
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> This message and any attachment are intended solely for the addressee and
> may contain confidential information. If you have received this message in
> error, please send it back to me, and immediately delete it. Please do not
> use, copy or disclose the information contained in this message or in any
> attachment. Any views or opinions expressed by the author of this email do
> not necessarily reflect the views of the University of Nottingham.
>
> This message has been checked for viruses but the contents of an attachment
> may still contain software viruses which could damage your computer system:
> you are advised to perform your own checks. Email communications with the
> University of Nottingham may be monitored as permitted by UK legislation.
>
>
>
> _______________________________________________
> Xerte-dev mailing list
> Xerte-dev at lists.nottingham.ac.uk
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
_______________________________________________
Xerte-dev mailing list
Xerte-dev at lists.nottingham.ac.uk
http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
More information about the Xerte-dev
mailing list