<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='color:#1F497D'>I don’t know how all this side of things works tbh. If it makes more sense from your side of things to have the info in the model files rather than xwd then let me know what you need and I can put it in<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='margin-left:36.0pt'><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> xerte-dev-bounces@lists.nottingham.ac.uk [mailto:xerte-dev-bounces@lists.nottingham.ac.uk] <b>On Behalf Of </b>Smith, John<br><b>Sent:</b> 08 March 2013 10:27<br><b>To:</b> For Xerte technical developers<br><b>Subject:</b> [Xerte-dev] Re: SECURITY PATCH for upload.php<o:p></o:p></span></p></div></div><p class=MsoNormal style='margin-left:36.0pt'><o:p> </o:p></p><p class=MsoNormal style='margin-left:36.0pt'><span lang=EN-US style='color:#1F497D'>Hi Fay,<o:p></o:p></span></p><p class=MsoNormal style='margin-left:36.0pt'><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:36.0pt'><span lang=EN-US style='color:#1F497D'>Sure, I could work with that if that’s not going to cause any problems with the system. I think we need to check mime types too as the server can ignore extensions if it recognizes the format but if we have the extensions allowed then I suppose we can look up the mime types allowed for that extension and make sure the uploaded file type matches…<o:p></o:p></span></p><div><p class=MsoNormal style='margin-left:36.0pt'><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:36.0pt'><span lang=EN-US style='color:#1F497D'>These parameters won’t be posted with the file will they, if they are added there? The only issue I see is that we would simply have an aggregated list of extensions that ALL models use, and so any model could upload any file in that list, not just the ones allowed by that model, which is kind of counter intuitive…<o:p></o:p></span></p><p class=MsoNormal style='margin-left:36.0pt'><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:36.0pt'><span lang=EN-US style='color:#1F497D'>Regards,<o:p></o:p></span></p><p class=MsoNormal style='margin-left:36.0pt'><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:36.0pt'><span lang=EN-US style='color:#1F497D'>John <o:p></o:p></span></p></div><p class=MsoNormal style='margin-left:36.0pt'><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='margin-left:36.0pt'><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">xerte-dev-bounces@lists.nottingham.ac.uk</a> [<a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">mailto:xerte-dev-bounces@lists.nottingham.ac.uk</a>] <b>On Behalf Of </b>Fay Cross<br><b>Sent:</b> Friday, March 08, 2013 10:15 AM<br><b>To:</b> For Xerte technical developers<br><b>Subject:</b> [Xerte-dev] Re: SECURITY PATCH for upload.php<o:p></o:p></span></p></div></div><p class=MsoNormal style='margin-left:36.0pt'><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:36.0pt'><span style='color:#1F497D'>If we added something to the xwds would that help?<o:p></o:p></span></p><p class=MsoNormal style='margin-left:36.0pt'><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:36.0pt'><span style='color:#1F497D'>e.g. adding an extra attribute...<o:p></o:p></span></p><p class=MsoNormal style='margin-left:36.0pt'><span style='color:#1F497D'><url label="Image" type="media" <b>fileType=”jpeg,gif,png”</b>/><o:p></o:p></span></p><p class=MsoNormal style='margin-left:36.0pt'><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:36.0pt'><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='margin-left:72.0pt'><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">xerte-dev-bounces@lists.nottingham.ac.uk</a> [<a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">mailto:xerte-dev-bounces@lists.nottingham.ac.uk</a>] <b>On Behalf Of </b>Smith, John<br><b>Sent:</b> 08 March 2013 10:00<br><b>To:</b> For Xerte technical developers<br><b>Subject:</b> [Xerte-dev] Re: SECURITY PATCH for upload.php<o:p></o:p></span></p></div></div><p class=MsoNormal style='margin-left:72.0pt'><o:p> </o:p></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US style='color:#1F497D'>Could we add a comment type header block to the start of the models? Similar to a Wordpress style header and parse these comments once in a while, via cron or just on user login or something? I suppose we could hook ‘user_login’ and do the damage in a plugin?<o:p></o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US style='color:#1F497D'>Do you think that a comment header would that break the parsing of the model?<o:p></o:p></span></p><div><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US style='color:#1F497D'>Regards,<o:p></o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US style='color:#1F497D'>John Smith<o:p></o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US style='color:#1F497D'>Learning Technologist<o:p></o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US style='color:#1F497D'>School of Health & Life Sciences<o:p></o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US style='color:#1F497D'>Glasgow Caledonian University<o:p></o:p></span></p></div><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='margin-left:72.0pt'><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">xerte-dev-bounces@lists.nottingham.ac.uk</a> [<a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">mailto:xerte-dev-bounces@lists.nottingham.ac.uk</a>] <b>On Behalf Of </b>Pat @ Pgogy<br><b>Sent:</b> Thursday, March 07, 2013 5:14 PM<br><b>To:</b> For Xerte technical developers<br><b>Subject:</b> [Xerte-dev] Re: SECURITY PATCH for upload.php<o:p></o:p></span></p></div></div><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US><o:p> </o:p></span></p><div><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US>Hello,<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US>Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model could post the allowed types and the list is generated on the fly?<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US><o:p> </o:p></span></p></div><div><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US>I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball<br><br>Pgogy Webstuff - <a href="http://www.pgogywebstuff.com">http://www.pgogywebstuff.com</a><o:p></o:p></span></p><div><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US>Makers of web things of a fair to middling quality<o:p></o:p></span></p></div></div><div><p class=MsoNormal style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:12.0pt;margin-left:72.0pt'><span lang=EN-US><br>On 7 Mar 2013, at 15:32, "Smith, John" <<a href="mailto:J.J.Smith@gcu.ac.uk">J.J.Smith@gcu.ac.uk</a>> wrote:<o:p></o:p></span></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US style='color:#1F497D'>Hi Pat,</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US style='color:#1F497D'>I didn’t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required…</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US style='color:#1F497D'>I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method available to whitelist the allowable files but I think that might take a bit more work…</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US style='color:#1F497D'>I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I’ll have a go at adding in some code to deal with content headers and mimetypes</span><span lang=EN-US><o:p></o:p></span></p><div><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US style='color:#1F497D'>Regards,</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US style='color:#1F497D'>John Smith</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US style='color:#1F497D'>Learning Technologist</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US style='color:#1F497D'>School of Health & Life Sciences</span><span lang=EN-US><o:p></o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US style='color:#1F497D'>Glasgow Caledonian University</span><span lang=EN-US><o:p></o:p></span></p></div><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US style='color:#1F497D'> </span><span lang=EN-US><o:p></o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='margin-left:72.0pt'><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">xerte-dev-bounces@lists.nottingham.ac.uk</a> [<a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">mailto:xerte-dev-bounces@lists.nottingham.ac.uk</a>] <b>On Behalf Of </b>Pat @ Pgogy<br><b>Sent:</b> Thursday, March 07, 2013 2:54 PM<br><b>To:</b> For Xerte technical developers<br><b>Subject:</b> [Xerte-dev] Re: SECURITY PATCH for upload.php</span><span lang=EN-US><o:p></o:p></span></p></div></div><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US> <o:p></o:p></span></p><div><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US>Hello,<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US>I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem).<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US>My reg exp is a bit flaky as well, if you copied that over.<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US> <o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US>There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list.<br><br>Pgogy Webstuff - <a href="http://www.pgogywebstuff.com">http://www.pgogywebstuff.com</a><o:p></o:p></span></p><div><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US>Makers of web things of a fair to middling quality<o:p></o:p></span></p></div></div><div><p class=MsoNormal style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:12.0pt;margin-left:72.0pt'><span lang=EN-US><br>On 7 Mar 2013, at 13:01, "Smith, John" <<a href="mailto:J.J.Smith@gcu.ac.uk">J.J.Smith@gcu.ac.uk</a>> wrote:<o:p></o:p></span></p></div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US>Hi,<o:p></o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US>I’ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I’ve added a whitelist and stuck in the same allowed file extensions that Pat uses in the Wordpress plugins.<o:p></o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US>Can someone test this and advise if there are any other media types that we want/need to allow?<o:p></o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US>There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I’ve uncommented this now but does anyone know why it was commented out in the first place?<o:p></o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US>Regards,<o:p></o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US>John Smith<o:p></o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US>Learning Technologist<o:p></o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US>School of Health & Life Sciences<o:p></o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US>Glasgow Caledonian University<o:p></o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US> <o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:12.0pt;margin-left:72.0pt'><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman","serif"'><br></span><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";color:gray'>Glasgow Caledonian University is a registered Scottish charity, number SC021474<br><br>Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.<br><a href="http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html">http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html</a><br><br>Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.<br><a href="http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html">http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html</a></span><span lang=EN-US><o:p></o:p></span></p></div></blockquote><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman","serif"'>_______________________________________________<br>Xerte-dev mailing list<br><a href="mailto:Xerte-dev@lists.nottingham.ac.uk">Xerte-dev@lists.nottingham.ac.uk</a><br><a href="http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev">http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev</a></span><span lang=EN-US><o:p></o:p></span></p></div></blockquote><p class=MsoNormal style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:12.0pt;margin-left:72.0pt'><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman","serif"'><br></span><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";color:gray'>Glasgow Caledonian University is a registered Scottish charity, number SC021474<br><br>Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.<br><a href="http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html">http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html</a><br><br>Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.<br><a href="http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html">http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html</a></span><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p></div></blockquote><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman","serif"'>_______________________________________________<br>Xerte-dev mailing list<br><a href="mailto:Xerte-dev@lists.nottingham.ac.uk">Xerte-dev@lists.nottingham.ac.uk</a><br><a href="http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev">http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev</a><o:p></o:p></span></p></div></blockquote><p class=MsoNormal style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:12.0pt;margin-left:72.0pt'><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:72.0pt'><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman","serif"'><br></span><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";color:gray'>Glasgow Caledonian University is a registered Scottish charity, number SC021474<br><br>Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.<br><a href="http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html">http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html</a><br><br>Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.<br><a href="http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html">http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html</a></span><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p><p class=MsoNormal style='margin-left:36.0pt'><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman","serif"'><br></span><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";color:gray'>Glasgow Caledonian University is a registered Scottish charity, number SC021474<br><br>Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.<br><a href="http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html">http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html</a><br><br>Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.<br><a href="http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html">http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html</a></span><span lang=EN-US style='font-size:12.0pt;font-family:"Times New Roman","serif"'><o:p></o:p></span></p></div></body></html>