<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Hello,</div><div><br></div><div>I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem).</div><div><br></div><div>My reg exp is a bit flaky as well, if you copied that over.</div><div><br></div><div>There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list.<br><br>Pgogy Webstuff - <a href="http://www.pgogywebstuff.com">http://www.pgogywebstuff.com</a><div>Makers of web things of a fair to middling quality</div></div><div><br>On 7 Mar 2013, at 13:01, "Smith, John" <<a href="mailto:J.J.Smith@gcu.ac.uk">J.J.Smith@gcu.ac.uk</a>> wrote:<br><br></div><blockquote type="cite"><div>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I’ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Can someone test this and advise if there are any other media types that we want/need to allow?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I’ve uncommented this now but does anyone know why it was commented out
in the first place?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Regards,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">John Smith<o:p></o:p></p>
<p class="MsoNormal">Learning Technologist<o:p></o:p></p>
<p class="MsoNormal">School of Health & Life Sciences<o:p></o:p></p>
<p class="MsoNormal">Glasgow Caledonian University<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<font face="Arial" color="Gray" size="2">Glasgow Caledonian University is a registered Scottish charity, number SC021474<br>
<br>
Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.<br>
<a href="http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html">http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html</a><br>
<br>
Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.<br>
<a href="http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html">http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html</a><br>
</font>
<br><br>
<br>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Xerte-dev mailing list</span><br><span><a href="mailto:Xerte-dev@lists.nottingham.ac.uk">Xerte-dev@lists.nottingham.ac.uk</a></span><br><span><a href="http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev">http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev</a></span><br></div></blockquote></body></html>