[Xerte-dev] Re: SECURITY PATCH for upload.php

Mon Mar 25 20:47:39 GMT 2013

Hi Tom

sorry that was probably my mistake after quickly testing if reverting
resolved the issue :-(

The code is now a full replace of R734 and the button state seems ok. Alas
image upload via Firefox remains an issue.

Cheers

Ron

From: xerte-dev-bounces at lists.nottingham.ac.uk
[mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders
Sent: 25 March 2013 20:22
To: For Xerte technical developers
Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php

Hmm, it seems like index.php is not what it should be...

Around lines 150 - 160 are a couple of lines drawing the buttons. These used
to be img tags, and are now button tags.

The enabling used to work through changing the image in display_screen.js,
and now I change the css class .

Can you check whether you have the correct index.php in place?

Tom

Op 25-3-2013 19:01, Ron Mitchell schreef:

Hi Tom

yes you are using the correct install but I reverted the code back to a
previous working version just to confirm that it is a recent update that has
cause that particular problem and sure enough the buttons were working ok
again.

At the moment the install is back to R734 so includes your updates + Johns
and has the button state problem.

Cheers

Ron

From: xerte-dev-bounces at lists.nottingham.ac.uk
[mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Tom Reijnders
Sent: 25 March 2013 17:50
To: For Xerte technical developers
Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php

If the buttons don't refresh properly, it is due to my changes with the
buttons.

I replaced all image buttons by html buttons. That should be in SVN 727, but
I can see it's not in this one (the links should be buttons as well as shown
below.

Am I using the correct jsic xot?

Tom

Op 25-3-2013 18:09, Ron Mitchell schreef:

Hi John

I've just updated the Techdis /xot install to R734 which obviously uses
Moodle authentication and uploading via a graphics and sound page seems to
work fine now whereas as you know it didn't before.

However I'm not sure whether it's due to your update or the recent update by
others but I notice that there's now no state change on the workspace
buttons when a project is selected e.g. they still work but remain greyed
out

HTH

Ron

-----Original Message-----
From: xerte-dev-bounces at lists.nottingham.ac.uk
[mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
Sent: 25 March 2013 16:02
To: For Xerte technical developers
Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php

Hi all,

Sorry it's been a while getting to this again but I seem to have made some
headway.

I've been able to figure out how to jump start the Moodle session also in
upload.php and it has worked in my tests but would love to see how it fares
in the real world. Would someone be able to test this for me? I've committed
changed (some to edit.php too) as R734.

Regards,

John Smith

Learning Technologist

School of Health & Life Sciences

Glasgow Caledonian University

-----Original Message-----

From:  <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
xerte-dev-bounces at lists.nottingham.ac.uk [
<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John

Sent: Friday, March 15, 2013 11:39 AM

To: For Xerte technical developers

Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php

Worth a try!! So we have to support Firefox AND Moodle - there's that
wagging dog again ;-)

Leave it with me - once I get moodle integration working I'll take a look at
the moodle session and see if we do anything...

Regards,

John Smith

Learning Technologist

School of Health & Life Sciences

Glasgow Caledonian University

-----Original Message-----

From:  <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
xerte-dev-bounces at lists.nottingham.ac.uk [
<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney

Sent: Friday, March 15, 2013 11:21 AM

To: For Xerte technical developers

Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php

No, we have to support Firefox, but you know that already!

-----Original Message-----

From:  <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
xerte-dev-bounces at lists.nottingham.ac.uk [
<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John

Sent: 15 March 2013 10:14

To:  <mailto:xerte-dev at lists.nottingham.ac.uk>
xerte-dev at lists.nottingham.ac.uk

Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php

True but Moodle is a red herring here...

The problem is Firefox - it is the tail... If you can live without Firefox
being supported, only in the editor, then we can probably keep Moodle auth
as is...

Depends who you want to keep happiest...

Regards

John Smith

Learning Technologist

School of Health and Life Sciences

Sent from Samsung Galaxy SII

Julian Tenney < <mailto:Julian.Tenney at nottingham.ac.uk>
Julian.Tenney at nottingham.ac.uk> wrote:

Hmm. Keen not to have a 'tail wags dog' thing here, if moodle is the
problem, then I think that's what we should fix.

-----Original Message-----

From:  <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
xerte-dev-bounces at lists.nottingham.ac.uk [
<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John

Sent: 15 March 2013 09:10

To:  <mailto:xerte-dev at lists.nottingham.ac.uk>
xerte-dev at lists.nottingham.ac.uk

Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php

The way the Moodle authentication works - its so complicated that there is
no way to restart it in upload when we are using Firefox... The upload
script as reported by Ron does work as long as we're not using Moodle

As i said we can check for Moodle auth and simply not check for session but
that still leaves a gaping hole...

Bootstrapping the upload via js 'should' allow config.php to handle the
session as it does on other pages...

Regards

John Smith

Learning Technologist

School of Health and Life Sciences

Sent from Samsung Galaxy SII

Julian Tenney < <mailto:Julian.Tenney at nottingham.ac.uk>
Julian.Tenney at nottingham.ac.uk> wrote:

So is the problem the upload script, or the way the moodle authentication
works?

-----Original Message-----

From:  <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
xerte-dev-bounces at lists.nottingham.ac.uk [
<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John

Sent: 14 March 2013 16:41

To: For Xerte technical developers

Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php

Yes, Flash seems to already add &sessionid to the end of the query string
and if I take that and use session_id(querystringsessionid) before calling
session_start() then it works...

If I rely on the session start in config.php then it doesn't execute if
using moodle authentication and so the session check fails...

Just thought though that I was still checking the xerte session variable
whereas if I can find a moodle one to check then it 'might' still work...

Only problem is that I don't have a working moodle install?!? Well I do - on
a pen drive copied from someone in Nottingham (Thomas?) but I don't know the
password to login to moodle... was there a default password?? anyone??

Regards,

John Smith

Learning Technologist

School of Health & Life Sciences

Glasgow Caledonian University

-----Original Message-----

From:  <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
xerte-dev-bounces at lists.nottingham.ac.uk [
<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney

Sent: Thursday, March 14, 2013 4:24 PM

To: For Xerte technical developers

Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php

Is it the case that you got it working in all browsers EXCEPT when using
moodle authentication?

-----Original Message-----

From:  <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
xerte-dev-bounces at lists.nottingham.ac.uk [
<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John

Sent: 14 March 2013 16:22

To: For Xerte technical developers

Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php

I'm sure if upload.php knows that it's Firefox and then checks the
authentication method then it can set the passed session id IF NOT moodle
but then we might have to bypass the session check if not Moodle... not
really a solution...

I think we might have to resort to js though...

Regards,

John Smith

Learning Technologist

School of Health & Life Sciences

Glasgow Caledonian University

-----Original Message-----

From:  <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
xerte-dev-bounces at lists.nottingham.ac.uk [
<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney

Sent: Thursday, March 14, 2013 4:12 PM

To: For Xerte technical developers

Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php

Do you think we should take Flash out of the picture and call some JS from
the wizard swf? We can still do some sort of progress / notification stuff I
think. All you need to pass to upload is the file's path on the local
machine, right?

This has got to be sortable though, surely, but if it's gribbly and there's
an alternative, let's do that.

-----Original Message-----

From:  <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
xerte-dev-bounces at lists.nottingham.ac.uk [
<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John

Sent: 13 March 2013 11:30

To:  <mailto:xerte-dev at lists.nottingham.ac.uk>
xerte-dev at lists.nottingham.ac.uk

Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php

Hi Pat

Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we
are still including config.php BUT...

If we are in Firefox and include config.php before setting the session id
then when config starts session we get a new session id

Until we start session in upload.php though we can't tell if we are in
firefox or using moodle..

I suppose we can add some more complex logic as you say which checks what
authentication method we are using and does whatever is required... We might
need to indicate from flash though what browser we are using otherwise we
might still miss one of the option - Using Firefox with moodle
authentication i think cannot be detected at present...

Regards

John Smith

Learning Technologist

School of Health and Life Sciences

Sent from Samsung Galaxy SII

"Pat @ Pgogy" < <mailto:xerte at pgogywebstuff.com> xerte at pgogywebstuff.com>
wrote:

Try including config.php or doing a MySQL select db back to the xerte db,
that fixed most of the moodle problems before

Pgogy Webstuff -  <http://www.pgogywebstuff.com>
http://www.pgogywebstuff.com Makers of web things of a fair to middling
quality

On 12 Mar 2013, at 21:20, "Smith, John" < <mailto:J.J.Smith at gcu.ac.uk>
J.J.Smith at gcu.ac.uk> wrote:

> Hi Ron,

> 

> Hmmm there is some session restart code although it should be restarting
the same session as the session id is being passed from Flash... I wonder
why it's killing Moodle session though and none of the others... very
strange - i'll revert the changes back while we investigate...damn though we
had almost cracked it...

> 

> Regards,

> 

> John Smith | Learning Technologist

> Room A251, Govan Mbeki Building | School of Health & Life Sciences | 

> Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA 

> ________________________________________

> From:  <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
xerte-dev-bounces at lists.nottingham.ac.uk

> [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell 

> [ronm at mitchellmedia.co.uk]

> Sent: 12 March 2013 20:31

> To: 'For Xerte technical developers'

> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php

> 

> Hi John

> I tested further and the issue only seems to occur with Moodle
authentication enabled. Uploading works fine with guest authentication and
static authentication I can't easily test LDAP authentication.

> 

> So I guess this is either session related or a js clash?

> 

> Have you added any session start code that's perhaps killing the Moodle
session? You have access to the /xot install to check js via console etc and
I've set it back to use Moodle authentication so at the moment it's easy to
replicate the issue.

> 

> I know this probably going to raise the old chestnut about Moodle
integration etc but obviously all worked fine prior to the recent changes
and does when reverting back too.

> 

> Cheers

> Ron

> 

> -----Original Message-----

> From:  <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
xerte-dev-bounces at lists.nottingham.ac.uk

> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron 

> Mitchell

> Sent: 12 March 2013 20:17

> To: 'For Xerte technical developers'

> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php

> 

> Hi John

> Alistair reported that it was happening with Chrome and IE. I'm not sure
what browser Simon was using but I tested via IE9 and was able to reproduce.
But...

> 

> I'm almost hesitant to mention this...

> 

> I'd updated my own install which worked fine so I started thinking about
what the differences are and apart from server differences a key difference
is that the Techdis installs are using Moodle for authentication. I switched
the xot install to guest and still got the problem. I then removed the
integration path via management, logged back in and was able to upload ok. I
then switched back to Moodle authentication and put the integration path
back in and was still able to upload. So intermittent results at the moment
but it does seem like it could be session related. I'm only online until
about 9pm tonight but will test further and again in the morning.

> 

> Cheers

> Ron

> 

> -----Original Message-----

> From:  <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
xerte-dev-bounces at lists.nottingham.ac.uk

> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, 

> John

> Sent: 12 March 2013 19:56

> To:  <mailto:xerte-dev at lists.nottingham.ac.uk>
xerte-dev at lists.nottingham.ac.uk

> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php

> 

> Hi Ron

> 

> Do you know if this is using Firefox or one of the other browsers? I've
tested it using several of the models (albeit on Xampp - not sure what setup
Julian tested it on) in the 3 mainstream browsers and it's been working
fine, except for the erroneous messages which we are still trying to figure
out the best way to catch them in Flash...

> 

> I'll patch one in an hour or so and if you could try it out then it might
give us a clue as to whether its the session problem or something else...

> 

> Regards

> 

> John Smith

> Learning Technologist

> School of Health and Life Sciences

> 

> Sent from Samsung Galaxy SII

> 

> 

> 

> Ron Mitchell < <mailto:ronm at mitchellmedia.co.uk> ronm at mitchellmedia.co.uk>
wrote:

> 

> 

> Hi

> sorry been quiet for a week or so (on holiday) but back now and updated
the Techdis installations from svn (not sandpit) and Alistair and Simon
reported issues with uploading images. I reverted one installation back and
that worked again but I've left the latest code in the /xot test install
which doesn't work. Basically uploads seem to work ok via media & quota but
not via a graphics and sound page for instance. The image appears to upload
and an upload successful prompt appears but the image doesn't actually
upload. Any ideas?

> Ron

> 

> From:  <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
xerte-dev-bounces at lists.nottingham.ac.uk

> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian 

> Tenney

> Sent: 11 March 2013 16:18

> To: For Xerte technical developers

> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php

> 

> 

> There's no more detail: here's a screenshot showing the code and the
relevant events to the left. onComplete means 'successfully uploaded', so
the answer will lie in the upload.php and whether, if uploading fails, it's
reflected back in the Flash stuff.

> 

> 

> 

> I've added some alerts for now so you can see what gets tripped, we 

> can take these out later, and I've commited the wizard with these in ,

> 

> 

> 

> listener.onComplete = function(file:FileReference
<file:///\\%5C%5CFileReference> ):Void  {

> 

> 

> 

>      Alert.show("Upload successful");

> 

> 

> 

>      --etc--

> 

> 

> 

> }

> 

> 

> 

> 

> 

> listener.onHTTPError = function(file:FileReference
<file:///\\%5C%5CFileReference> ):Void  {

> 

> 

> 

>      Alert.show("Upload failed: HTTPError");

> 

> 

> 

>      --etc--

> 

> 

> 

> }

> 

> 

> 

> listener.onIOError = function(file:FileReference
<file:///\\%5C%5CFileReference> ):Void  {

> 

> 

> 

>      Alert.show("Upload failed: IOError");

> 

> 

> 

>      --etc--

> 

> 

> 

> }

> 

> listener.onSecurityError = function(file:FileReference
<file:///\\%5C%5CFileReference> , 

> errorString:String):Void  {

> 

> 

> 

>      Alert.show("Upload failed: Security Error");

> 

> 

> 

>      --etc--

> 

> 

> 

> }

> 

> 

> 

> -----Original Message-----

> From:

>
<mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces@
list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list

> s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
mailto:xerte-dev-bounces at lists.nottingham.ac.uk]

> On Behalf Of Smith, John

> Sent: 11 March 2013 15:42

> To: For Xerte technical developers

> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php

> 

> 

> 

> Are you using FileReference class? This code snippet suggests you can 

> extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA 

> with var strData:String = StringUtil.trim(evt.data);

> 

> 

> 

> 

> 

> 

> 

> private function init():void {

> 

>                fileRef = new FileReference();

> 

>                fileRef.addEventListener(Event.SELECT, fileRef_select);

> 

>                fileRef.addEventListener(Event.COMPLETE,

> fileRef_complete);

> 

>                fileRef.addEventListener(IOErrorEvent.IO_ERROR,

> fileRef_ioError);

> 

> 

> fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA,

> fileRef_uploadCompleteData);

> 

> 

> 

>                urlReq = new URLRequest();

> 

>                urlReq.url =

> " <http://localhost:8300/fileref/uploader.cfm>
http://localhost:8300/fileref/uploader.cfm";

> 

>            }

> 

> 

> 

>            private function

> fileRef_uploadCompleteData(evt:DataEvent):void {

> 

>                var strData:String = StringUtil.trim(evt.data);

> 

>                var vars:URLVariables = new URLVariables(strData);

> 

>                Alert.show(vars.fileName, "fileName");

> 

>            }

> 

> 

> 

> 

> 

> Regards,

> 

> 

> 

> John Smith

> 

> Learning Technologist

> 

> School of Health & Life Sciences

> 

> Glasgow Caledonian University

> 

> 

> 

> 

> 

> -----Original Message-----

> 

> From:

>
<mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces@
list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list

> s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
mailto:xerte-dev-bounces at lists.nottingham.ac.uk]

> On Behalf Of Smith, John

> 

> Sent: Monday, March 11, 2013 3:19 PM

> 

> To: For Xerte technical developers

> 

> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php

> 

> 

> 

> Yeah it should because the upload page completes... you could try sticking
a number in the exit function for the blacklist and see if you can get the
number, exit(5); for example...

> 

> 

> 

> At least the session bit seems to work... I've taken out all the whitelist
code and mimetype stuff just now but I have another upload file I'm working
on which attempts to detect the mimetype using several techniques contained
in drupal and wordpress modules - will let you know if it pans out...

> 

> 

> 

> Regards,

> 

> 

> 

> John Smith

> 

> Learning Technologist

> 

> School of Health & Life Sciences

> 

> Glasgow Caledonian University

> 

> 

> 

> 

> 

> -----Original Message-----

> 

> From:

>
<mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces@
list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list

> s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
mailto:xerte-dev-bounces at lists.nottingham.ac.uk]

> On Behalf Of Julian Tenney

> 

> Sent: Monday, March 11, 2013 2:32 PM

> 

> To: For Xerte technical developers

> 

> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php

> 

> 

> 

> If I try and upload php files, onComplete still fires...

> 

> 

> 

> -----Original Message-----

> 

> From:

>
<mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces@
list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list

> s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
mailto:xerte-dev-bounces at lists.nottingham.ac.uk]

> On Behalf Of Julian Tenney

> 

> Sent: 11 March 2013 14:27

> 

> To: For Xerte technical developers

> 

> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php

> 

> 

> 

> Hold on, I'll see if I can get the events to trip,

> 

> 

> 

> -----Original Message-----

> 

> From:

>
<mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces@
list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list

> s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
mailto:xerte-dev-bounces at lists.nottingham.ac.uk]

> On Behalf Of Smith, John

> 

> Sent: 11 March 2013 14:20

> 

> To: For Xerte technical developers

> 

> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php

> 

> 

> 

> Yeah, it's the Flash end... didn't seem to be doing anything no matter the
content of the php PRINT statements so I just removed them for brevity...
They were all in English anyway...

> 

> 

> 

> Regards,

> 

> 

> 

> John Smith

> 

> Learning Technologist

> 

> School of Health & Life Sciences

> 

> Glasgow Caledonian University

> 

> 

> 

> 

> 

> -----Original Message-----

> 

> From:

>
<mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces@
list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list

> s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
mailto:xerte-dev-bounces at lists.nottingham.ac.uk]

> On Behalf Of Smith, John

> 

> Sent: Monday, March 11, 2013 1:57 PM

> 

> To: For Xerte technical developers

> 

> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php

> 

> 

> 

> No way to receive whether the upload was successful or not?

> 

> 

> 

> Regards,

> 

> 

> 

> John Smith

> 

> Learning Technologist

> 

> School of Health & Life Sciences

> 

> Glasgow Caledonian University

> 

> 

> 

> 

> 

> -----Original Message-----

> 

> From:

>
<mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces@
list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list

> s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
mailto:xerte-dev-bounces at lists.nottingham.ac.uk]

> On Behalf Of Julian Tenney

> 

> Sent: Monday, March 11, 2013 1:48 PM

> 

> To: For Xerte technical developers

> 

> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php

> 

> 

> 

> I'm not sure you can do much with that class, it's just a black box.

> 

> 

> 

> -----Original Message-----

> 

> From:

>
<mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces@
list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list

> s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
mailto:xerte-dev-bounces at lists.nottingham.ac.uk]

> On Behalf Of Smith, John

> 

> Sent: 11 March 2013 13:33

> 

> To: For Xerte technical developers

> 

> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php

> 

> 

> 

> Perhaps it should just feedback error codes, and the flash class
translates them...

> 

> 

> 

> Regards,

> 

> 

> 

> John Smith

> 

> Learning Technologist

> 

> School of Health & Life Sciences

> 

> Glasgow Caledonian University

> 

> 

> 

> 

> 

> -----Original Message-----

> 

> From:

>
<mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces@
list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list

> s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
mailto:xerte-dev-bounces at lists.nottingham.ac.uk]

> On Behalf Of Julian Tenney

> 

> Sent: Monday, March 11, 2013 1:21 PM

> 

> To: For Xerte technical developers

> 

> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php

> 

> 

> 

> NO, I forget the details but there is a flash player class that does the
upload thing. I'll give it a whirl.

> 

> 

> 

> -----Original Message-----

> 

> From:

>
<mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces@
list> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list

> s.nottingham.ac.uk> [ <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
mailto:xerte-dev-bounces at lists.nottingham.ac.uk]

> On Behalf Of Smith, John

> 

> Sent: 11 March 2013 12:45

> 

> To: For Xerte technical developers

> 

> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php

> 

> 

> 

> Hi Julian, give that a try... Does the flash editor do anything with the
returned/echoed  text? I've taken them out because they didn't seem to be
doing anything in the Flash end and they could give hints to a hacker as to
why their attempt was quashed...

> 

> 

> 

> 

> 

> 

> 

> 

> 

> 

> 

> 

> 

> Glasgow Caledonian University is a registered Scottish charity, number

> SC021474

> 

> Winner: Times Higher Education's Widening Participation Initiative of the
Year 2009 and Herald Society's Education Initiative of the Year 2009.

>  <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6>
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6

> 219,en.html

> 

> Winner: Times Higher Education's Outstanding Support for Early Career
Researchers of the Year 2010, GCU as a lead with Universities Scotland
partners.

>  <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1>
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1

> 5691,en.html _______________________________________________

> Xerte-dev mailing list

>  <mailto:Xerte-dev at lists.nottingham.ac.uk>
Xerte-dev at lists.nottingham.ac.uk

>  <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev>
http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev

> 

> 

> _______________________________________________

> Xerte-dev mailing list

>  <mailto:Xerte-dev at lists.nottingham.ac.uk>
Xerte-dev at lists.nottingham.ac.uk

>  <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev>
http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev

> 

> 

> _______________________________________________

> Xerte-dev mailing list

>  <mailto:Xerte-dev at lists.nottingham.ac.uk>
Xerte-dev at lists.nottingham.ac.uk

>  <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev>
http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev

> 

> Glasgow Caledonian University is a registered Scottish charity, number

> SC021474

> 

> Winner: Times Higher Education's Widening Participation Initiative of the
Year 2009 and Herald Society's Education Initiative of the Year 2009.

>  <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6>
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6

> 219,en.html

> 

> Winner: Times Higher Education's Outstanding Support for Early Career
Researchers of the Year 2010, GCU as a lead with Universities Scotland
partners.

>  <http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1>
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1

> 5691,en.html

> 

> _______________________________________________

> Xerte-dev mailing list

>  <mailto:Xerte-dev at lists.nottingham.ac.uk>
Xerte-dev at lists.nottingham.ac.uk

>  <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev>
http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev

> This message and any attachment are intended solely for the addressee and
may contain confidential information. If you have received this message in
error, please send it back to me, and immediately delete it.   Please do not
use, copy or disclose the information contained in this message or in any
attachment.  Any views or opinions expressed by the author of this email do
not necessarily reflect the views of the University of Nottingham.

> 

> This message has been checked for viruses but the contents of an 

> attachment may still contain software viruses which could damage your
computer system:

> you are advised to perform your own checks. Email communications with 

> the University of Nottingham may be monitored as permitted by UK
legislation.

_______________________________________________

Xerte-dev mailing list

 <mailto:Xerte-dev at lists.nottingham.ac.uk> Xerte-dev at lists.nottingham.ac.uk

 <http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev>
http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev

Glasgow Caledonian University is a registered Scottish charity, number
SC021474