[Xerte-dev] Re: SECURITY PATCH for upload.php

Tom Reijnders reijnders at tor.nl
Fri Mar 8 11:18:41 GMT 2013 

If we are going down this road, it will make more sense to me to have 
them in the .xwd (because the .xwd will present the browse button and 
the upload action)

Tom

Op 8-3-2013 12:09, Fay Cross schreef:
>
> I don't know how all this side of things works tbh. If it makes more 
> sense from your side of things to have the info in the model files 
> rather than xwd then let me know what you need and I can put it in
>
> *From:*xerte-dev-bounces at lists.nottingham.ac.uk 
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of 
> *Smith, John
> *Sent:* 08 March 2013 10:27
> *To:* For Xerte technical developers
> *Subject:* [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> Hi Fay,
>
> Sure, I could work with that if that's not going to cause any problems 
> with the system. I think we need to check mime types too as  the 
> server can ignore extensions if it recognizes the format but if we 
> have the extensions allowed then I suppose we can look up the mime 
> types allowed for that extension and make sure the uploaded file type 
> matches...
>
> These parameters won't be posted with the file will they, if they are 
> added there? The only issue I see is that we would simply have an 
> aggregated  list of extensions that ALL models use, and so any model 
> could upload any file in that list, not just the ones allowed by that 
> model, which is kind of counter intuitive...
>
> Regards,
>
> John
>
> *From:*xerte-dev-bounces at lists.nottingham.ac.uk 
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> 
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Fay Cross
> *Sent:* Friday, March 08, 2013 10:15 AM
> *To:* For Xerte technical developers
> *Subject:* [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> If we added something to the xwds would that help?
>
> e.g. adding an extra attribute...
>
> <url label="Image" type="media" *fileType="jpeg,gif,png"*/>
>
> *From:*xerte-dev-bounces at lists.nottingham.ac.uk 
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> 
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of 
> *Smith, John
> *Sent:* 08 March 2013 10:00
> *To:* For Xerte technical developers
> *Subject:* [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> Could we add a comment type header block to the start of the models? 
> Similar to a Wordpress style header and parse these comments once in a 
> while, via cron or just on user login or something? I suppose we could 
> hook 'user_login' and do the damage in a plugin?
>
> Do you think that a comment header would that break the parsing of the 
> model?
>
> Regards,
>
> John Smith
>
> Learning Technologist
>
> School of Health & Life Sciences
>
> Glasgow Caledonian University
>
> *From:*xerte-dev-bounces at lists.nottingham.ac.uk 
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk> 
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Pat @ 
> Pgogy
> *Sent:* Thursday, March 07, 2013 5:14 PM
> *To:* For Xerte technical developers
> *Subject:* [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> Hello,
>
> Problem is getting a list of types the models support. I think there 
> is a case for saying the model should list the extensions it supports 
> as it is partly their job to do it. This way the model could post the 
> allowed types and the list is generated on the fly?
>
> I agree preventing php is a good thing, but I think the problem is not 
> knowing what types are acceptable is a real curveball
>
> Pgogy Webstuff - http://www.pgogywebstuff.com
>
> Makers of web things of a fair to middling quality
>
>
> On 7 Mar 2013, at 15:32, "Smith, John" <J.J.Smith at gcu.ac.uk 
> <mailto:J.J.Smith at gcu.ac.uk>> wrote:
>
>     Hi Pat,
>
>     I didn't copy your regexp or your select list directly but
>     translated the select code into a comma separated list so that it
>     can be moved elsewhere if required...
>
>     I noticed the list in the sitedetails table but it is of Mime
>     Types. I think it would be best practice to use extensions,
>     content headers, mimetypes and any other method available to
>     whitelist the allowable files but I think that might take a bit
>     more work...
>
>     I think it is leaving a load of sites out there very vulnerable so
>     we should try to  find a good way to shore this up before the next
>     release. What do you think? I'll have a go at adding in some code
>     to deal with content headers and mimetypes
>
>     Regards,
>
>     John Smith
>
>     Learning Technologist
>
>     School of Health & Life Sciences
>
>     Glasgow Caledonian University
>
>     *From:*xerte-dev-bounces at lists.nottingham.ac.uk
>     <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
>     [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of
>     *Pat @ Pgogy
>     *Sent:* Thursday, March 07, 2013 2:54 PM
>     *To:* For Xerte technical developers
>     *Subject:* [Xerte-dev] Re: SECURITY PATCH for upload.php
>
>     Hello,
>
>     I hobble the Wordpress version deliberately to only allow a few
>     file types but that isn't the list that full XOT needs (there is
>     in fact, no list, hence the problem).
>
>     My reg exp is a bit flaky as well, if you copied that over.
>
>     There is a sort of whitelist in the sitedetails table as the media
>     upload properties panel page uses this - but not sure this is the
>     XOT list.
>
>     Pgogy Webstuff - http://www.pgogywebstuff.com
>
>     Makers of web things of a fair to middling quality
>
>
>     On 7 Mar 2013, at 13:01, "Smith, John" <J.J.Smith at gcu.ac.uk
>     <mailto:J.J.Smith at gcu.ac.uk>> wrote:
>
>         Hi,
>
>         I've just committed a change to upload.php (revision 714) to
>         stop users exploiting a system by uploading php code. I've
>         added a whitelist and stuck in the same allowed file
>         extensions that Pat uses in the Wordpress plugins.
>
>         Can someone test this and advise if there are any other media
>         types that we want/need to allow?
>
>         There was also a session check but exit(); was commented out
>         therefore in an unpatched system ANYONE can post data to
>         upload.php and get some code onto the server. I've uncommented
>         this now but does anyone know why it was commented out in the
>         first place?
>
>         Regards,
>
>         John Smith
>
>         Learning Technologist
>
>         School of Health & Life Sciences
>
>         Glasgow Caledonian University
>
>
>         Glasgow Caledonian University is a registered Scottish
>         charity, number SC021474
>
>         Winner: Times Higher Education's Widening Participation
>         Initiative of the Year 2009 and Herald Society's Education
>         Initiative of the Year 2009.
>         http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
>
>         Winner: Times Higher Education's Outstanding Support for Early
>         Career Researchers of the Year 2010, GCU as a lead with
>         Universities Scotland partners.
>         http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
>
>         _______________________________________________
>         Xerte-dev mailing list
>         Xerte-dev at lists.nottingham.ac.uk
>         <mailto:Xerte-dev at lists.nottingham.ac.uk>
>         http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
>
>     Glasgow Caledonian University is a registered Scottish charity,
>     number SC021474
>
>     Winner: Times Higher Education's Widening Participation Initiative
>     of the Year 2009 and Herald Society's Education Initiative of the
>     Year 2009.
>     http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
>
>     Winner: Times Higher Education's Outstanding Support for Early
>     Career Researchers of the Year 2010, GCU as a lead with
>     Universities Scotland partners.
>     http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
>
>     _______________________________________________
>     Xerte-dev mailing list
>     Xerte-dev at lists.nottingham.ac.uk
>     <mailto:Xerte-dev at lists.nottingham.ac.uk>
>     http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
>
> Glasgow Caledonian University is a registered Scottish charity, number 
> SC021474
>
> Winner: Times Higher Education's Widening Participation Initiative of 
> the Year 2009 and Herald Society's Education Initiative of the Year 2009.
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
>
> Winner: Times Higher Education's Outstanding Support for Early Career 
> Researchers of the Year 2010, GCU as a lead with Universities Scotland 
> partners.
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
>
>
> Glasgow Caledonian University is a registered Scottish charity, number 
> SC021474
>
> Winner: Times Higher Education's Widening Participation Initiative of 
> the Year 2009 and Herald Society's Education Initiative of the Year 2009.
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
>
> Winner: Times Higher Education's Outstanding Support for Early Career 
> Researchers of the Year 2010, GCU as a lead with Universities Scotland 
> partners.
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
>
>
>
> _______________________________________________
> Xerte-dev mailing list
> Xerte-dev at lists.nottingham.ac.uk
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev

-- 
--

Tom Reijnders
TOR Informatica
Chopinlaan 27
5242HM Rosmalen
Tel: 073 5226191
Fax: 073 5226196

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130308/39c59701/attachment-0001.html>

More information about the Xerte-dev mailing list