[Xerte-dev] Re: Upload and security

Julian Tenney Julian.Tenney at nottingham.ac.uk
Wed May 22 12:21:46 BST 2013


Thanks. It’s not a big deal for now, but I’d say authorised users can upload javascript. If they can write it, why not let them upload it? It isn’t a security thing if users are authorised.

From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
Sent: 22 May 2013 11:09
To: For Xerte technical developers
Subject: [Xerte-dev] Re: Upload and security

Yes the session check is in place now so you have to have a valid moodle or xot session…

Regards,

John Smith
Learning Technologist
School of Health & Life Sciences
Glasgow Caledonian University

From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney
Sent: Wednesday, May 22, 2013 11:02 AM
To: For Xerte technical developers
Subject: [Xerte-dev] Re: Upload and security

Is it the case now that only logged in users can run anything through upload.php?

Otherwise it’s not just javascript you can disguise, but anything else. I’d be happy with uploading javascript being limited to authorised users, it’s people clobbering the system from outside that worries me.

From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
Sent: 22 May 2013 10:42
To: For Xerte technical developers
Subject: [Xerte-dev] Re: Upload and security

.js extension is in the blacklist but as Julian has proved it is a bit pointless…

What we need is to whitelist and do some form of mime detection, but I’ve not been able to get anything working reliably yet…

Regards,

John Smith
Learning Technologist
School of Health & Life Sciences
Glasgow Caledonian University

From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Pat @ Pgogy
Sent: Wednesday, May 22, 2013 9:59 AM
To: For Xerte technical developers
Subject: [Xerte-dev] Re: Upload and security

JavaScript is in the banned list I think

I'd ask what you want the bootstrap to be - a mini website for Non-techies or a sort of techie play space?



On 21 May 2013, at 10:00, Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote:
Just reprising a recent conversation about uploading javascript. You guys weren’t keen. I just uploaded a txt file with javascript in it, loaded via a script tag in the bootstrap template and it – of course – executes, but we knew that anyway.

Is it the case that only authorised users – those logged in – can get anything through upload.php? Should authorised users be able to upload javascript?

Second and slightly related question, playing around with the bootstrap template wizard: I got it adding canvas, and thought about other userful building blocks for developers. You could define them in a text icon <canvas width=”500” height=”350”/> and then script them from a script icon, so are we gaining anything at the expense of confusing users who don’t know what scripts and canvases do? I just though ‘well, where does it end? Divs, styles, etc’ and we can do it all with text anyway. But in looking at some of this stuff, it would really be handy to be able to upload scripts, because writing anything more than trivial in the wizard is going to be gribbly.

What do you think?

<image001.png>
_______________________________________________
Xerte-dev mailing list
Xerte-dev at lists.nottingham.ac.uk<mailto:Xerte-dev at lists.nottingham.ac.uk>
http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev


This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it.   Please do not use, copy or disclose the information contained in this message or in any attachment.  Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham.

This message has been checked for viruses but the contents of an attachment may still contain software viruses which could damage your computer system, you are advised to perform your own checks. Email communications with the University of Nottingham may be monitored as permitted by UK legislation.


Glasgow Caledonian University is a registered Scottish charity, number SC021474

Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html

Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html

Glasgow Caledonian University is a registered Scottish charity, number SC021474

Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html

Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130522/a5dfe155/attachment.html>


More information about the Xerte-dev mailing list