[Xerte-dev] Re: SECURITY PATCH for upload.php
Tom Reijnders
reijnders at tor.nl
Mon Mar 25 20:21:39 GMT 2013
Hmm, it seems like index.php is not what it should be...
Around lines 150 - 160 are a couple of lines drawing the buttons. These
used to be img tags, and are now button tags.
The enabling used to work through changing the image in
display_screen.js, and now I change the css class .
Can you check whether you have the correct index.php in place?
Tom
Op 25-3-2013 19:01, Ron Mitchell schreef:
>
> Hi Tom
>
> yes you are using the correct install but I reverted the code back to
> a previous working version just to confirm that it is a recent update
> that has cause that particular problem and sure enough the buttons
> were working ok again.
>
> At the moment the install is back to R734 so includes your updates +
> Johns and has the button state problem.
>
> Cheers
>
> Ron
>
> *From:*xerte-dev-bounces at lists.nottingham.ac.uk
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] *On Behalf Of *Tom
> Reijnders
> *Sent:* 25 March 2013 17:50
> *To:* For Xerte technical developers
> *Subject:* [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> If the buttons don't refresh properly, it is due to my changes with
> the buttons.
>
> I replaced all image buttons by html buttons. That should be in SVN
> 727, but I can see it's not in this one (the links should be buttons
> as well as shown below.
>
> Am I using the correct jsic xot?
>
> Tom
>
>
>
>
>
>
> Op 25-3-2013 18:09, Ron Mitchell schreef:
>
> Hi John
>
> I've just updated the Techdis /xot install to R734 which obviously
> uses Moodle authentication and uploading via a graphics and sound
> page seems to work fine now whereas as you know it didn't before.
>
> However I'm not sure whether it's due to your update or the recent
> update by others but I notice that there's now no state change on
> the workspace buttons when a project is selected e.g. they still
> work but remain greyed out
>
> HTH
>
> Ron
>
> -----Original Message-----
> From: xerte-dev-bounces at lists.nottingham.ac.uk
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of
> Smith, John
> Sent: 25 March 2013 16:02
> To: For Xerte technical developers
> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> Hi all,
>
> Sorry it's been a while getting to this again but I seem to have
> made some headway.
>
> I've been able to figure out how to jump start the Moodle session
> also in upload.php and it has worked in my tests but would love to
> see how it fares in the real world. Would someone be able to test
> this for me? I've committed changed (some to edit.php too) as R734.
>
> Regards,
>
> John Smith
>
> Learning Technologist
>
> School of Health & Life Sciences
>
> Glasgow Caledonian University
>
> -----Original Message-----
>
> From: xerte-dev-bounces at lists.nottingham.ac.uk
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of
> Smith, John
>
> Sent: Friday, March 15, 2013 11:39 AM
>
> To: For Xerte technical developers
>
> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> Worth a try!! So we have to support Firefox AND Moodle - there's
> that wagging dog again ;-)
>
> Leave it with me - once I get moodle integration working I'll take
> a look at the moodle session and see if we do anything...
>
> Regards,
>
> John Smith
>
> Learning Technologist
>
> School of Health & Life Sciences
>
> Glasgow Caledonian University
>
> -----Original Message-----
>
> From: xerte-dev-bounces at lists.nottingham.ac.uk
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of
> Julian Tenney
>
> Sent: Friday, March 15, 2013 11:21 AM
>
> To: For Xerte technical developers
>
> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> No, we have to support Firefox, but you know that already!
>
> -----Original Message-----
>
> From: xerte-dev-bounces at lists.nottingham.ac.uk
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of
> Smith, John
>
> Sent: 15 March 2013 10:14
>
> To: xerte-dev at lists.nottingham.ac.uk
> <mailto:xerte-dev at lists.nottingham.ac.uk>
>
> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> True but Moodle is a red herring here...
>
> The problem is Firefox - it is the tail... If you can live without
> Firefox being supported, only in the editor, then we can probably
> keep Moodle auth as is...
>
> Depends who you want to keep happiest...
>
> Regards
>
> John Smith
>
> Learning Technologist
>
> School of Health and Life Sciences
>
> Sent from Samsung Galaxy SII
>
> Julian Tenney <Julian.Tenney at nottingham.ac.uk
> <mailto:Julian.Tenney at nottingham.ac.uk>> wrote:
>
> Hmm. Keen not to have a 'tail wags dog' thing here, if moodle is
> the problem, then I think that's what we should fix.
>
> -----Original Message-----
>
> From: xerte-dev-bounces at lists.nottingham.ac.uk
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of
> Smith, John
>
> Sent: 15 March 2013 09:10
>
> To: xerte-dev at lists.nottingham.ac.uk
> <mailto:xerte-dev at lists.nottingham.ac.uk>
>
> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> The way the Moodle authentication works - its so complicated that
> there is no way to restart it in upload when we are using
> Firefox... The upload script as reported by Ron does work as long
> as we're not using Moodle
>
> As i said we can check for Moodle auth and simply not check for
> session but that still leaves a gaping hole...
>
> Bootstrapping the upload via js 'should' allow config.php to
> handle the session as it does on other pages...
>
> Regards
>
> John Smith
>
> Learning Technologist
>
> School of Health and Life Sciences
>
> Sent from Samsung Galaxy SII
>
> Julian Tenney <Julian.Tenney at nottingham.ac.uk
> <mailto:Julian.Tenney at nottingham.ac.uk>> wrote:
>
> So is the problem the upload script, or the way the moodle
> authentication works?
>
> -----Original Message-----
>
> From: xerte-dev-bounces at lists.nottingham.ac.uk
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of
> Smith, John
>
> Sent: 14 March 2013 16:41
>
> To: For Xerte technical developers
>
> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> Yes, Flash seems to already add &sessionid to the end of the query
> string and if I take that and use session_id(querystringsessionid)
> before calling session_start() then it works...
>
> If I rely on the session start in config.php then it doesn't
> execute if using moodle authentication and so the session check
> fails...
>
> Just thought though that I was still checking the xerte session
> variable whereas if I can find a moodle one to check then it
> 'might' still work...
>
> Only problem is that I don't have a working moodle install?!? Well
> I do - on a pen drive copied from someone in Nottingham (Thomas?)
> but I don't know the password to login to moodle... was there a
> default password?? anyone??
>
> Regards,
>
> John Smith
>
> Learning Technologist
>
> School of Health & Life Sciences
>
> Glasgow Caledonian University
>
> -----Original Message-----
>
> From: xerte-dev-bounces at lists.nottingham.ac.uk
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of
> Julian Tenney
>
> Sent: Thursday, March 14, 2013 4:24 PM
>
> To: For Xerte technical developers
>
> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> Is it the case that you got it working in all browsers EXCEPT when
> using moodle authentication?
>
> -----Original Message-----
>
> From: xerte-dev-bounces at lists.nottingham.ac.uk
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of
> Smith, John
>
> Sent: 14 March 2013 16:22
>
> To: For Xerte technical developers
>
> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> I'm sure if upload.php knows that it's Firefox and then checks the
> authentication method then it can set the passed session id IF NOT
> moodle but then we might have to bypass the session check if not
> Moodle... not really a solution...
>
> I think we might have to resort to js though...
>
> Regards,
>
> John Smith
>
> Learning Technologist
>
> School of Health & Life Sciences
>
> Glasgow Caledonian University
>
> -----Original Message-----
>
> From: xerte-dev-bounces at lists.nottingham.ac.uk
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of
> Julian Tenney
>
> Sent: Thursday, March 14, 2013 4:12 PM
>
> To: For Xerte technical developers
>
> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> Do you think we should take Flash out of the picture and call some
> JS from the wizard swf? We can still do some sort of progress /
> notification stuff I think. All you need to pass to upload is the
> file's path on the local machine, right?
>
> This has got to be sortable though, surely, but if it's gribbly
> and there's an alternative, let's do that.
>
> -----Original Message-----
>
> From: xerte-dev-bounces at lists.nottingham.ac.uk
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of
> Smith, John
>
> Sent: 13 March 2013 11:30
>
> To: xerte-dev at lists.nottingham.ac.uk
> <mailto:xerte-dev at lists.nottingham.ac.uk>
>
> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> Hi Pat
>
> Yeah its the Firefox Flash Cookie thing that's the real ball
> breaker... we are still including config.php BUT...
>
> If we are in Firefox and include config.php before setting the
> session id then when config starts session we get a new session id
>
> Until we start session in upload.php though we can't tell if we
> are in firefox or using moodle..
>
> I suppose we can add some more complex logic as you say which
> checks what authentication method we are using and does whatever
> is required... We might need to indicate from flash though what
> browser we are using otherwise we might still miss one of the
> option - Using Firefox with moodle authentication i think cannot
> be detected at present...
>
> Regards
>
> John Smith
>
> Learning Technologist
>
> School of Health and Life Sciences
>
> Sent from Samsung Galaxy SII
>
> "Pat @ Pgogy" <xerte at pgogywebstuff.com
> <mailto:xerte at pgogywebstuff.com>> wrote:
>
> Try including config.php or doing a MySQL select db back to the
> xerte db, that fixed most of the moodle problems before
>
> Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things
> of a fair to middling quality
>
> On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk
> <mailto:J.J.Smith at gcu.ac.uk>> wrote:
>
> > Hi Ron,
>
> >
>
> > Hmmm there is some session restart code although it should be
> restarting the same session as the session id is being passed from
> Flash... I wonder why it's killing Moodle session though and none
> of the others... very strange - i'll revert the changes back while
> we investigate...damn though we had almost cracked it...
>
> >
>
> > Regards,
>
> >
>
> > John Smith | Learning Technologist
>
> > Room A251, Govan Mbeki Building | School of Health & Life
> Sciences |
>
> > Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA
>
> > ________________________________________
>
> > From: xerte-dev-bounces at lists.nottingham.ac.uk
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
>
> > [xerte-dev-bounces at lists.nottingham.ac.uk
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>] On Behalf Of
> Ron Mitchell
>
> > [ronm at mitchellmedia.co.uk <mailto:ronm at mitchellmedia.co.uk>]
>
> > Sent: 12 March 2013 20:31
>
> > To: 'For Xerte technical developers'
>
> > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> >
>
> > Hi John
>
> > I tested further and the issue only seems to occur with Moodle
> authentication enabled. Uploading works fine with guest
> authentication and static authentication I can't easily test LDAP
> authentication.
>
> >
>
> > So I guess this is either session related or a js clash?
>
> >
>
> > Have you added any session start code that's perhaps killing the
> Moodle session? You have access to the /xot install to check js
> via console etc and I've set it back to use Moodle authentication
> so at the moment it's easy to replicate the issue.
>
> >
>
> > I know this probably going to raise the old chestnut about
> Moodle integration etc but obviously all worked fine prior to the
> recent changes and does when reverting back too.
>
> >
>
> > Cheers
>
> > Ron
>
> >
>
> > -----Original Message-----
>
> > From: xerte-dev-bounces at lists.nottingham.ac.uk
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
>
> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron
>
> > Mitchell
>
> > Sent: 12 March 2013 20:17
>
> > To: 'For Xerte technical developers'
>
> > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> >
>
> > Hi John
>
> > Alistair reported that it was happening with Chrome and IE. I'm
> not sure what browser Simon was using but I tested via IE9 and was
> able to reproduce. But...
>
> >
>
> > I'm almost hesitant to mention this...
>
> >
>
> > I'd updated my own install which worked fine so I started
> thinking about what the differences are and apart from server
> differences a key difference is that the Techdis installs are
> using Moodle for authentication. I switched the xot install to
> guest and still got the problem. I then removed the integration
> path via management, logged back in and was able to upload ok. I
> then switched back to Moodle authentication and put the
> integration path back in and was still able to upload. So
> intermittent results at the moment but it does seem like it could
> be session related. I'm only online until about 9pm tonight but
> will test further and again in the morning.
>
> >
>
> > Cheers
>
> > Ron
>
> >
>
> > -----Original Message-----
>
> > From: xerte-dev-bounces at lists.nottingham.ac.uk
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
>
> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of
> Smith,
>
> > John
>
> > Sent: 12 March 2013 19:56
>
> > To: xerte-dev at lists.nottingham.ac.uk
> <mailto:xerte-dev at lists.nottingham.ac.uk>
>
> > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> >
>
> > Hi Ron
>
> >
>
> > Do you know if this is using Firefox or one of the other
> browsers? I've tested it using several of the models (albeit on
> Xampp - not sure what setup Julian tested it on) in the 3
> mainstream browsers and it's been working fine, except for the
> erroneous messages which we are still trying to figure out the
> best way to catch them in Flash...
>
> >
>
> > I'll patch one in an hour or so and if you could try it out then
> it might give us a clue as to whether its the session problem or
> something else...
>
> >
>
> > Regards
>
> >
>
> > John Smith
>
> > Learning Technologist
>
> > School of Health and Life Sciences
>
> >
>
> > Sent from Samsung Galaxy SII
>
> >
>
> >
>
> >
>
> > Ron Mitchell <ronm at mitchellmedia.co.uk
> <mailto:ronm at mitchellmedia.co.uk>> wrote:
>
> >
>
> >
>
> > Hi
>
> > sorry been quiet for a week or so (on holiday) but back now and
> updated the Techdis installations from svn (not sandpit) and
> Alistair and Simon reported issues with uploading images. I
> reverted one installation back and that worked again but I've left
> the latest code in the /xot test install which doesn't work.
> Basically uploads seem to work ok via media & quota but not via a
> graphics and sound page for instance. The image appears to upload
> and an upload successful prompt appears but the image doesn't
> actually upload. Any ideas?
>
> > Ron
>
> >
>
> > From: xerte-dev-bounces at lists.nottingham.ac.uk
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
>
> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of
> Julian
>
> > Tenney
>
> > Sent: 11 March 2013 16:18
>
> > To: For Xerte technical developers
>
> > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> >
>
> >
>
> > There's no more detail: here's a screenshot showing the code and
> the relevant events to the left. onComplete means 'successfully
> uploaded', so the answer will lie in the upload.php and whether,
> if uploading fails, it's reflected back in the Flash stuff.
>
> >
>
> >
>
> >
>
> > I've added some alerts for now so you can see what gets tripped, we
>
> > can take these out later, and I've commited the wizard with
> these in ,
>
> >
>
> >
>
> >
>
> > listener.onComplete = function(file:FileReference
> <file:///%5C%5CFileReference>):Void {
>
> >
>
> >
>
> >
>
> > Alert.show("Upload successful");
>
> >
>
> >
>
> >
>
> > --etc--
>
> >
>
> >
>
> >
>
> > }
>
> >
>
> >
>
> >
>
> >
>
> >
>
> > listener.onHTTPError = function(file:FileReference
> <file:///%5C%5CFileReference>):Void {
>
> >
>
> >
>
> >
>
> > Alert.show("Upload failed: HTTPError");
>
> >
>
> >
>
> >
>
> > --etc--
>
> >
>
> >
>
> >
>
> > }
>
> >
>
> >
>
> >
>
> > listener.onIOError = function(file:FileReference
> <file:///%5C%5CFileReference>):Void {
>
> >
>
> >
>
> >
>
> > Alert.show("Upload failed: IOError");
>
> >
>
> >
>
> >
>
> > --etc--
>
> >
>
> >
>
> >
>
> > }
>
> >
>
> > listener.onSecurityError = function(file:FileReference
> <file:///%5C%5CFileReference>,
>
> > errorString:String):Void {
>
> >
>
> >
>
> >
>
> > Alert.show("Upload failed: Security Error");
>
> >
>
> >
>
> >
>
> > --etc--
>
> >
>
> >
>
> >
>
> > }
>
> >
>
> >
>
> >
>
> > -----Original Message-----
>
> > From:
>
> >
> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list>
>
> > s.nottingham.ac.uk>
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk]
>
> > On Behalf Of Smith, John
>
> > Sent: 11 March 2013 15:42
>
> > To: For Xerte technical developers
>
> > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> >
>
> >
>
> >
>
> > Are you using FileReference class? This code snippet suggests
> you can
>
> > extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA
>
> > with var strData:String = StringUtil.trim(evt.data);
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> > private function init():void {
>
> >
>
> > fileRef = new FileReference();
>
> >
>
> > fileRef.addEventListener(Event.SELECT, fileRef_select);
>
> >
>
> > fileRef.addEventListener(Event.COMPLETE,
>
> > fileRef_complete);
>
> >
>
> > fileRef.addEventListener(IOErrorEvent.IO_ERROR,
>
> > fileRef_ioError);
>
> >
>
> >
>
> > fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA,
>
> > fileRef_uploadCompleteData);
>
> >
>
> >
>
> >
>
> > urlReq = new URLRequest();
>
> >
>
> > urlReq.url =
>
> > "http://localhost:8300/fileref/uploader.cfm";
>
> >
>
> > }
>
> >
>
> >
>
> >
>
> > private function
>
> > fileRef_uploadCompleteData(evt:DataEvent):void {
>
> >
>
> > var strData:String = StringUtil.trim(evt.data);
>
> >
>
> > var vars:URLVariables = new URLVariables(strData);
>
> >
>
> > Alert.show(vars.fileName, "fileName");
>
> >
>
> > }
>
> >
>
> >
>
> >
>
> >
>
> >
>
> > Regards,
>
> >
>
> >
>
> >
>
> > John Smith
>
> >
>
> > Learning Technologist
>
> >
>
> > School of Health & Life Sciences
>
> >
>
> > Glasgow Caledonian University
>
> >
>
> >
>
> >
>
> >
>
> >
>
> > -----Original Message-----
>
> >
>
> > From:
>
> >
> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list>
>
> > s.nottingham.ac.uk>
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk]
>
> > On Behalf Of Smith, John
>
> >
>
> > Sent: Monday, March 11, 2013 3:19 PM
>
> >
>
> > To: For Xerte technical developers
>
> >
>
> > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> >
>
> >
>
> >
>
> > Yeah it should because the upload page completes... you could
> try sticking a number in the exit function for the blacklist and
> see if you can get the number, exit(5); for example...
>
> >
>
> >
>
> >
>
> > At least the session bit seems to work... I've taken out all the
> whitelist code and mimetype stuff just now but I have another
> upload file I'm working on which attempts to detect the mimetype
> using several techniques contained in drupal and wordpress modules
> - will let you know if it pans out...
>
> >
>
> >
>
> >
>
> > Regards,
>
> >
>
> >
>
> >
>
> > John Smith
>
> >
>
> > Learning Technologist
>
> >
>
> > School of Health & Life Sciences
>
> >
>
> > Glasgow Caledonian University
>
> >
>
> >
>
> >
>
> >
>
> >
>
> > -----Original Message-----
>
> >
>
> > From:
>
> >
> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list>
>
> > s.nottingham.ac.uk>
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk]
>
> > On Behalf Of Julian Tenney
>
> >
>
> > Sent: Monday, March 11, 2013 2:32 PM
>
> >
>
> > To: For Xerte technical developers
>
> >
>
> > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> >
>
> >
>
> >
>
> > If I try and upload php files, onComplete still fires...
>
> >
>
> >
>
> >
>
> > -----Original Message-----
>
> >
>
> > From:
>
> >
> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list>
>
> > s.nottingham.ac.uk>
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk]
>
> > On Behalf Of Julian Tenney
>
> >
>
> > Sent: 11 March 2013 14:27
>
> >
>
> > To: For Xerte technical developers
>
> >
>
> > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> >
>
> >
>
> >
>
> > Hold on, I'll see if I can get the events to trip,
>
> >
>
> >
>
> >
>
> > -----Original Message-----
>
> >
>
> > From:
>
> >
> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list>
>
> > s.nottingham.ac.uk>
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk]
>
> > On Behalf Of Smith, John
>
> >
>
> > Sent: 11 March 2013 14:20
>
> >
>
> > To: For Xerte technical developers
>
> >
>
> > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> >
>
> >
>
> >
>
> > Yeah, it's the Flash end... didn't seem to be doing anything no
> matter the content of the php PRINT statements so I just removed
> them for brevity... They were all in English anyway...
>
> >
>
> >
>
> >
>
> > Regards,
>
> >
>
> >
>
> >
>
> > John Smith
>
> >
>
> > Learning Technologist
>
> >
>
> > School of Health & Life Sciences
>
> >
>
> > Glasgow Caledonian University
>
> >
>
> >
>
> >
>
> >
>
> >
>
> > -----Original Message-----
>
> >
>
> > From:
>
> >
> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list>
>
> > s.nottingham.ac.uk>
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk]
>
> > On Behalf Of Smith, John
>
> >
>
> > Sent: Monday, March 11, 2013 1:57 PM
>
> >
>
> > To: For Xerte technical developers
>
> >
>
> > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> >
>
> >
>
> >
>
> > No way to receive whether the upload was successful or not?
>
> >
>
> >
>
> >
>
> > Regards,
>
> >
>
> >
>
> >
>
> > John Smith
>
> >
>
> > Learning Technologist
>
> >
>
> > School of Health & Life Sciences
>
> >
>
> > Glasgow Caledonian University
>
> >
>
> >
>
> >
>
> >
>
> >
>
> > -----Original Message-----
>
> >
>
> > From:
>
> >
> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list>
>
> > s.nottingham.ac.uk>
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk]
>
> > On Behalf Of Julian Tenney
>
> >
>
> > Sent: Monday, March 11, 2013 1:48 PM
>
> >
>
> > To: For Xerte technical developers
>
> >
>
> > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> >
>
> >
>
> >
>
> > I'm not sure you can do much with that class, it's just a black box.
>
> >
>
> >
>
> >
>
> > -----Original Message-----
>
> >
>
> > From:
>
> >
> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list>
>
> > s.nottingham.ac.uk>
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk]
>
> > On Behalf Of Smith, John
>
> >
>
> > Sent: 11 March 2013 13:33
>
> >
>
> > To: For Xerte technical developers
>
> >
>
> > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> >
>
> >
>
> >
>
> > Perhaps it should just feedback error codes, and the flash class
> translates them...
>
> >
>
> >
>
> >
>
> > Regards,
>
> >
>
> >
>
> >
>
> > John Smith
>
> >
>
> > Learning Technologist
>
> >
>
> > School of Health & Life Sciences
>
> >
>
> > Glasgow Caledonian University
>
> >
>
> >
>
> >
>
> >
>
> >
>
> > -----Original Message-----
>
> >
>
> > From:
>
> >
> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list>
>
> > s.nottingham.ac.uk>
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk]
>
> > On Behalf Of Julian Tenney
>
> >
>
> > Sent: Monday, March 11, 2013 1:21 PM
>
> >
>
> > To: For Xerte technical developers
>
> >
>
> > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> >
>
> >
>
> >
>
> > NO, I forget the details but there is a flash player class that
> does the upload thing. I'll give it a whirl.
>
> >
>
> >
>
> >
>
> > -----Original Message-----
>
> >
>
> > From:
>
> >
> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list>
>
> > s.nottingham.ac.uk>
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk]
>
> > On Behalf Of Smith, John
>
> >
>
> > Sent: 11 March 2013 12:45
>
> >
>
> > To: For Xerte technical developers
>
> >
>
> > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> >
>
> >
>
> >
>
> > Hi Julian, give that a try... Does the flash editor do anything
> with the returned/echoed text? I've taken them out because they
> didn't seem to be doing anything in the Flash end and they could
> give hints to a hacker as to why their attempt was quashed...
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> > Glasgow Caledonian University is a registered Scottish charity,
> number
>
> > SC021474
>
> >
>
> > Winner: Times Higher Education's Widening Participation
> Initiative of the Year 2009 and Herald Society's Education
> Initiative of the Year 2009.
>
> >
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6
>
> > 219,en.html
>
> >
>
> > Winner: Times Higher Education's Outstanding Support for Early
> Career Researchers of the Year 2010, GCU as a lead with
> Universities Scotland partners.
>
> >
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1
>
> > 5691,en.html _______________________________________________
>
> > Xerte-dev mailing list
>
> > Xerte-dev at lists.nottingham.ac.uk
> <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> >
>
> >
>
> > _______________________________________________
>
> > Xerte-dev mailing list
>
> > Xerte-dev at lists.nottingham.ac.uk
> <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> >
>
> >
>
> > _______________________________________________
>
> > Xerte-dev mailing list
>
> > Xerte-dev at lists.nottingham.ac.uk
> <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> >
>
> > Glasgow Caledonian University is a registered Scottish charity,
> number
>
> > SC021474
>
> >
>
> > Winner: Times Higher Education's Widening Participation
> Initiative of the Year 2009 and Herald Society's Education
> Initiative of the Year 2009.
>
> >
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6
>
> > 219,en.html
>
> >
>
> > Winner: Times Higher Education's Outstanding Support for Early
> Career Researchers of the Year 2010, GCU as a lead with
> Universities Scotland partners.
>
> >
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1
>
> > 5691,en.html
>
> >
>
> > _______________________________________________
>
> > Xerte-dev mailing list
>
> > Xerte-dev at lists.nottingham.ac.uk
> <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> > This message and any attachment are intended solely for the
> addressee and may contain confidential information. If you have
> received this message in error, please send it back to me, and
> immediately delete it. Please do not use, copy or disclose the
> information contained in this message or in any attachment. Any
> views or opinions expressed by the author of this email do not
> necessarily reflect the views of the University of Nottingham.
>
> >
>
> > This message has been checked for viruses but the contents of an
>
> > attachment may still contain software viruses which could damage
> your computer system:
>
> > you are advised to perform your own checks. Email communications
> with
>
> > the University of Nottingham may be monitored as permitted by UK
> legislation.
>
> _______________________________________________
>
> Xerte-dev mailing list
>
> Xerte-dev at lists.nottingham.ac.uk
> <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> Glasgow Caledonian University is a registered Scottish charity,
> number SC021474
>
> Winner: Times Higher Education's Widening Participation Initiative
> of the Year 2009 and Herald Society's Education Initiative of the
> Year 2009.
>
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
>
> Winner: Times Higher Education's Outstanding Support for Early
> Career Researchers of the Year 2010, GCU as a lead with
> Universities Scotland partners.
>
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
>
> _______________________________________________
>
> Xerte-dev mailing list
>
> Xerte-dev at lists.nottingham.ac.uk
> <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> _______________________________________________
>
> Xerte-dev mailing list
>
> Xerte-dev at lists.nottingham.ac.uk
> <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> Glasgow Caledonian University is a registered Scottish charity,
> number SC021474
>
> Winner: Times Higher Education's Widening Participation Initiative
> of the Year 2009 and Herald Society's Education Initiative of the
> Year 2009.
>
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
>
> Winner: Times Higher Education's Outstanding Support for Early
> Career Researchers of the Year 2010, GCU as a lead with
> Universities Scotland partners.
>
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
>
> _______________________________________________
>
> Xerte-dev mailing list
>
> Xerte-dev at lists.nottingham.ac.uk
> <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> _______________________________________________
>
> Xerte-dev mailing list
>
> Xerte-dev at lists.nottingham.ac.uk
> <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> Glasgow Caledonian University is a registered Scottish charity,
> number SC021474
>
> Winner: Times Higher Education's Widening Participation Initiative
> of the Year 2009 and Herald Society's Education Initiative of the
> Year 2009.
>
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
>
> Winner: Times Higher Education's Outstanding Support for Early
> Career Researchers of the Year 2010, GCU as a lead with
> Universities Scotland partners.
>
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
>
> _______________________________________________
>
> Xerte-dev mailing list
>
> Xerte-dev at lists.nottingham.ac.uk
> <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> _______________________________________________
>
> Xerte-dev mailing list
>
> Xerte-dev at lists.nottingham.ac.uk
> <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> Glasgow Caledonian University is a registered Scottish charity,
> number SC021474
>
> Winner: Times Higher Education's Widening Participation Initiative
> of the Year 2009 and Herald Society's Education Initiative of the
> Year 2009.
>
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
>
> Winner: Times Higher Education's Outstanding Support for Early
> Career Researchers of the Year 2010, GCU as a lead with
> Universities Scotland partners.
>
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
>
> _______________________________________________
>
> Xerte-dev mailing list
>
> Xerte-dev at lists.nottingham.ac.uk
> <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> _______________________________________________
>
> Xerte-dev mailing list
>
> Xerte-dev at lists.nottingham.ac.uk
> <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> Glasgow Caledonian University is a registered Scottish charity,
> number SC021474
>
> Winner: Times Higher Education's Widening Participation Initiative
> of the Year 2009 and Herald Society's Education Initiative of the
> Year 2009.
>
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
>
> Winner: Times Higher Education's Outstanding Support for Early
> Career Researchers of the Year 2010, GCU as a lead with
> Universities Scotland partners.
>
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
>
> _______________________________________________
>
> Xerte-dev mailing list
>
> Xerte-dev at lists.nottingham.ac.uk
> <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> _______________________________________________
>
> Xerte-dev mailing list
>
> Xerte-dev at lists.nottingham.ac.uk
> <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> Glasgow Caledonian University is a registered Scottish charity,
> number SC021474
>
> Winner: Times Higher Education's Widening Participation Initiative
> of the Year 2009 and Herald Society's Education Initiative of the
> Year 2009.
>
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
>
> Winner: Times Higher Education's Outstanding Support for Early
> Career Researchers of the Year 2010, GCU as a lead with
> Universities Scotland partners.
>
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
>
> _______________________________________________
>
> Xerte-dev mailing list
>
> Xerte-dev at lists.nottingham.ac.uk
> <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> Glasgow Caledonian University is a registered Scottish charity,
> number SC021474
>
> Winner: Times Higher Education's Widening Participation Initiative
> of the Year 2009 and Herald Society's Education Initiative of the
> Year 2009.
>
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
>
> Winner: Times Higher Education's Outstanding Support for Early
> Career Researchers of the Year 2010, GCU as a lead with
> Universities Scotland partners.
>
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
>
> _______________________________________________
>
> Xerte-dev mailing list
>
> Xerte-dev at lists.nottingham.ac.uk
> <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
>
>
>
> _______________________________________________
>
> Xerte-dev mailing list
>
> Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
>
>
> --
> --
>
> Tom Reijnders
> TOR Informatica
> Chopinlaan 27
> 5242HM Rosmalen
> Tel: 073 5226191
> Fax: 073 5226196
>
>
>
> _______________________________________________
> Xerte-dev mailing list
> Xerte-dev at lists.nottingham.ac.uk
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
--
--
Tom Reijnders
TOR Informatica
Chopinlaan 27
5242HM Rosmalen
Tel: 073 5226191
Fax: 073 5226196
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/c545d858/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 30072 bytes
Desc: not available
URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/c545d858/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 34026 bytes
Desc: not available
URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/c545d858/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 8559 bytes
Desc: not available
URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/c545d858/attachment-0001.jpe>
More information about the Xerte-dev
mailing list