<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle25
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle26
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle27
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle28
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle29
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle30
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:722796784;
mso-list-type:hybrid;
mso-list-template-ids:1323712468 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">I “think” we have 2 possible solutions:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">I’m sure if we delegate jquery to do the upload then we can get at the progress and feed back to Flash, even if the Flash had to poll… there are jquery uploaders that do…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">I think though we can also do it with session and nonce though, but it is how we deal with multiple uploads without refresh – alternatively we just
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-family:Symbol;color:#1F497D"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:#1F497D">Store the session id in the database, with a timestamp every time a php file loads, in config or something…<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-family:Symbol;color:#1F497D"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:#1F497D">send the session id as a parameter upload.php?sess=<%php echo(session_id())%> into flash or as a flashvar<o:p></o:p></span></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo1"><![if !supportLists]><span style="font-family:Symbol;color:#1F497D"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="color:#1F497D">flash posts the session_id to upload and we interrogate the database to see if it’s valid (present and not expired – older than 20 mins<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="color:#1F497D">I’ll play around with it over the weekend…<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Regards,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">John Smith<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Learning Technologist<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">School of Health & Life Sciences<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Glasgow Caledonian University<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> xerte-dev-bounces@lists.nottingham.ac.uk [mailto:xerte-dev-bounces@lists.nottingham.ac.uk]
<b>On Behalf Of </b>Julian Tenney<br>
<b>Sent:</b> Friday, March 08, 2013 2:54 PM<br>
<b>To:</b> For Xerte technical developers<br>
<b>Subject:</b> [Xerte-dev] Re: SECURITY PATCH for upload.php<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-GB" style="color:#1F497D">Maybe that’s not a bad idea, but is the case that you can’t get progress from the browser, which ideally we want for the progress bar (is that the case? I thought that was the downside of calling
some js functions from the wizard to handle the call to upload.php?)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-GB" style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-left:.5in"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">xerte-dev-bounces@lists.nottingham.ac.uk</a> [<a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">mailto:xerte-dev-bounces@lists.nottingham.ac.uk</a>]
<b>On Behalf Of </b>Smith, John<br>
<b>Sent:</b> 08 March 2013 14:21<br>
<b>To:</b> For Xerte technical developers<br>
<b>Subject:</b> [Xerte-dev] Re: SECURITY PATCH for upload.php<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-left:.5in"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">Hmm perhaps we can ajax via the browser… now I see why nobody was wanting to touch this!!<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">Regards,<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">John Smith<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">Learning Technologist<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">School of Health & Life Sciences<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D">Glasgow Caledonian University<o:p></o:p></span></p>
</div>
<p class="MsoNormal" style="margin-left:.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-left:.5in"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">xerte-dev-bounces@lists.nottingham.ac.uk</a> [<a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">mailto:xerte-dev-bounces@lists.nottingham.ac.uk</a>]
<b>On Behalf Of </b>Julian Tenney<br>
<b>Sent:</b> Friday, March 08, 2013 2:15 PM<br>
<b>To:</b> For Xerte technical developers<br>
<b>Subject:</b> [Xerte-dev] Re: SECURITY PATCH for upload.php<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><span lang="EN-GB" style="color:#1F497D">It’s because upload.php is being hit from flash, which isn’t passing the session info over to it in FF. Simon A and I tried a load of things to get it to work, but gave up
in the end. <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span lang="EN-GB" style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-left:1.0in"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">xerte-dev-bounces@lists.nottingham.ac.uk</a> [<a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">mailto:xerte-dev-bounces@lists.nottingham.ac.uk</a>]
<b>On Behalf Of </b>Smith, John<br>
<b>Sent:</b> 08 March 2013 14:12<br>
<b>To:</b> For Xerte technical developers<br>
<b>Subject:</b> [Xerte-dev] Re: SECURITY PATCH for upload.php<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">Ok I’ll look at that and see why… maybe config isn’t being included properly… sessions work elsewhere in Firefox so why not here?<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">Regards,<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">John Smith<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">Learning Technologist<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">School of Health & Life Sciences<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D">Glasgow Caledonian University<o:p></o:p></span></p>
</div>
<p class="MsoNormal" style="margin-left:1.0in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-left:1.0in"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">xerte-dev-bounces@lists.nottingham.ac.uk</a> [<a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">mailto:xerte-dev-bounces@lists.nottingham.ac.uk</a>]
<b>On Behalf Of </b>Julian Tenney<br>
<b>Sent:</b> Friday, March 08, 2013 2:05 PM<br>
<b>To:</b> For Xerte technical developers<br>
<b>Subject:</b> [Xerte-dev] Re: SECURITY PATCH for upload.php<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-left:1.0in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-GB" style="color:#1F497D">I commented it out because it didn’t work in firefox.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span lang="EN-GB" style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-left:1.5in"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">xerte-dev-bounces@lists.nottingham.ac.uk</a> [<a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">mailto:xerte-dev-bounces@lists.nottingham.ac.uk</a>]
<b>On Behalf Of </b>Smith, John<br>
<b>Sent:</b> 08 March 2013 13:55<br>
<b>To:</b> For Xerte technical developers<br>
<b>Subject:</b> [Xerte-dev] Re: SECURITY PATCH for upload.php<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-left:1.5in"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="color:#1F497D">If we get pushed for time and we need to then we can just comment out the code I added for now. All it would do then is the session check, although even that check was commented out
in the svn and probably the 1.9 release, no idea why though or by who and whether adding that back in will be causing an issue…<o:p></o:p></span></p>
<div>
<p class="MsoNormal" style="margin-left:1.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="color:#1F497D">Regards,<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="color:#1F497D">John Smith<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="color:#1F497D">Learning Technologist<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="color:#1F497D">School of Health & Life Sciences<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="color:#1F497D">Glasgow Caledonian University<o:p></o:p></span></p>
</div>
<p class="MsoNormal" style="margin-left:1.5in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-left:1.5in"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">xerte-dev-bounces@lists.nottingham.ac.uk</a> [<a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">mailto:xerte-dev-bounces@lists.nottingham.ac.uk</a>]
<b>On Behalf Of </b>Julian Tenney<br>
<b>Sent:</b> Friday, March 08, 2013 1:47 PM<br>
<b>To:</b> For Xerte technical developers<br>
<b>Subject:</b> [Xerte-dev] Re: SECURITY PATCH for upload.php<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-left:1.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:1.5in"><span lang="EN-GB" style="color:#1F497D">I’m not sure I’m close enough to the detail to recommend a way forward here, so happy to go with a recommendation, but would like to see it all implemented at once in the
svn so we’re not in a position where exporting the svn creates an install that won’t upload anything…<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span lang="EN-GB" style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-left:2.0in"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">xerte-dev-bounces@lists.nottingham.ac.uk</a> [<a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">mailto:xerte-dev-bounces@lists.nottingham.ac.uk</a>]
<b>On Behalf Of </b>Smith, John<br>
<b>Sent:</b> 08 March 2013 13:26<br>
<b>To:</b> For Xerte technical developers<br>
<b>Subject:</b> [Xerte-dev] Re: SECURITY PATCH for upload.php<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span style="color:#1F497D">I suppose then we could have a script in management that parses the extensions from the xwd files and warns which extensions need to be added to the field in order to make the model
fully usable… would that be duplicating and adding to the confusion of having a mime types field in sitedetails too?<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span style="color:#1F497D">Well I’ll work on the basis that I’ll be getting extensions from somewhere and make sure to check session, extension and mime type (based on allowable types for that extension).<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span style="color:#1F497D">One more question, do the error messages (before exit(); ) get fed back to the flash? Should we even include them then as they give a hacker some hint as to why an exploit failed – should
it just be “failed”<o:p></o:p></span></p>
<div>
<p class="MsoNormal" style="margin-left:2.0in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span style="color:#1F497D">Regards,<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span style="color:#1F497D">John Smith<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span style="color:#1F497D">Learning Technologist<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span style="color:#1F497D">School of Health & Life Sciences<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span style="color:#1F497D">Glasgow Caledonian University<o:p></o:p></span></p>
</div>
<p class="MsoNormal" style="margin-left:2.0in"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-left:2.0in"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">xerte-dev-bounces@lists.nottingham.ac.uk</a> [<a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">mailto:xerte-dev-bounces@lists.nottingham.ac.uk</a>]
<b>On Behalf Of </b>Julian Tenney<br>
<b>Sent:</b> Friday, March 08, 2013 1:13 PM<br>
<b>To:</b> For Xerte technical developers<br>
<b>Subject:</b> [Xerte-dev] Re: SECURITY PATCH for upload.php<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-left:2.0in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB" style="color:#1F497D">I think my preference would be for a global setting: comma seperated list of allowed types in management.php so we ship a secure product, and people can change the settings
if they want to.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB" style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-left:2.0in"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">xerte-dev-bounces@lists.nottingham.ac.uk</a> [<a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">mailto:xerte-dev-bounces@lists.nottingham.ac.uk</a>]
<b>On Behalf Of </b>Pat @ Pgogy<br>
<b>Sent:</b> 07 March 2013 17:14<br>
<b>To:</b> For Xerte technical developers<br>
<b>Subject:</b> [Xerte-dev] Re: SECURITY PATCH for upload.php<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB">Hello,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB">Problem is getting a list of types the models support. I think there is a case for saying the model should list the extensions it supports as it is partly their job to do it. This way the model
could post the allowed types and the list is generated on the fly?<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB">I agree preventing php is a good thing, but I think the problem is not knowing what types are acceptable is a real curveball<br>
<br>
Pgogy Webstuff - <a href="http://www.pgogywebstuff.com">http://www.pgogywebstuff.com</a><o:p></o:p></span></p>
<div>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB">Makers of web things of a fair to middling quality<o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:2.0in">
<span lang="EN-GB"><br>
On 7 Mar 2013, at 15:32, "Smith, John" <<a href="mailto:J.J.Smith@gcu.ac.uk">J.J.Smith@gcu.ac.uk</a>> wrote:<o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB" style="color:#1F497D">Hi Pat,</span><span lang="EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB" style="color:#1F497D"> </span><span lang="EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB" style="color:#1F497D">I didn’t copy your regexp or your select list directly but translated the select code into a comma separated list so that it can be moved elsewhere if required…</span><span lang="EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB" style="color:#1F497D"> </span><span lang="EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB" style="color:#1F497D">I noticed the list in the sitedetails table but it is of Mime Types. I think it would be best practice to use extensions, content headers, mimetypes and any other method
available to whitelist the allowable files but I think that might take a bit more work…</span><span lang="EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB" style="color:#1F497D"> </span><span lang="EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB" style="color:#1F497D">I think it is leaving a load of sites out there very vulnerable so we should try to find a good way to shore this up before the next release. What do you think? I’ll have
a go at adding in some code to deal with content headers and mimetypes</span><span lang="EN-GB"><o:p></o:p></span></p>
<div>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB" style="color:#1F497D"> </span><span lang="EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB" style="color:#1F497D">Regards,</span><span lang="EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB" style="color:#1F497D"> </span><span lang="EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB" style="color:#1F497D">John Smith</span><span lang="EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB" style="color:#1F497D">Learning Technologist</span><span lang="EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB" style="color:#1F497D">School of Health & Life Sciences</span><span lang="EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB" style="color:#1F497D">Glasgow Caledonian University</span><span lang="EN-GB"><o:p></o:p></span></p>
</div>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB" style="color:#1F497D"> </span><span lang="EN-GB"><o:p></o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-left:2.0in"><b><span lang="EN-GB" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-GB" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">xerte-dev-bounces@lists.nottingham.ac.uk</a> [<a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">mailto:xerte-dev-bounces@lists.nottingham.ac.uk</a>]
<b>On Behalf Of </b>Pat @ Pgogy<br>
<b>Sent:</b> Thursday, March 07, 2013 2:54 PM<br>
<b>To:</b> For Xerte technical developers<br>
<b>Subject:</b> [Xerte-dev] Re: SECURITY PATCH for upload.php</span><span lang="EN-GB"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB"> <o:p></o:p></span></p>
<div>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB">Hello,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB">I hobble the Wordpress version deliberately to only allow a few file types but that isn't the list that full XOT needs (there is in fact, no list, hence the problem).<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB">My reg exp is a bit flaky as well, if you copied that over.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB"> <o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB">There is a sort of whitelist in the sitedetails table as the media upload properties panel page uses this - but not sure this is the XOT list.<br>
<br>
Pgogy Webstuff - <a href="http://www.pgogywebstuff.com">http://www.pgogywebstuff.com</a><o:p></o:p></span></p>
<div>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB">Makers of web things of a fair to middling quality<o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:2.0in">
<span lang="EN-GB"><br>
On 7 Mar 2013, at 13:01, "Smith, John" <<a href="mailto:J.J.Smith@gcu.ac.uk">J.J.Smith@gcu.ac.uk</a>> wrote:<o:p></o:p></span></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB">Hi,<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB">I’ve just committed a change to upload.php (revision 714) to stop users exploiting a system by uploading php code. I’ve added a whitelist and stuck in the same allowed file extensions that Pat
uses in the Wordpress plugins.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB">Can someone test this and advise if there are any other media types that we want/need to allow?<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB">There was also a session check but exit(); was commented out therefore in an unpatched system ANYONE can post data to upload.php and get some code onto the server. I’ve uncommented this now but
does anyone know why it was commented out in the first place?<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB">Regards,<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB">John Smith<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB">Learning Technologist<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB">School of Health & Life Sciences<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB">Glasgow Caledonian University<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB"> <o:p></o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:2.0in">
<span lang="EN-GB" style="font-size:12.0pt;font-family:"Times New Roman","serif""><br>
</span><span lang="EN-GB" style="font-size:10.0pt;font-family:"Arial","sans-serif";color:gray">Glasgow Caledonian University is a registered Scottish charity, number SC021474<br>
<br>
Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.<br>
<a href="http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html">http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html</a><br>
<br>
Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.<br>
<a href="http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html">http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html</a></span><span lang="EN-GB"><o:p></o:p></span></p>
</div>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB" style="font-size:12.0pt;font-family:"Times New Roman","serif"">_______________________________________________<br>
Xerte-dev mailing list<br>
<a href="mailto:Xerte-dev@lists.nottingham.ac.uk">Xerte-dev@lists.nottingham.ac.uk</a><br>
<a href="http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev">http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev</a></span><span lang="EN-GB"><o:p></o:p></span></p>
</div>
</blockquote>
<p class="MsoNormal" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:2.0in">
<span lang="EN-GB"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB" style="font-size:12.0pt;font-family:"Times New Roman","serif""><br>
</span><span lang="EN-GB" style="font-size:10.0pt;font-family:"Arial","sans-serif";color:gray">Glasgow Caledonian University is a registered Scottish charity, number SC021474<br>
<br>
Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.<br>
<a href="http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html">http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html</a><br>
<br>
Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.<br>
<a href="http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html">http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html</a></span><span lang="EN-GB" style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p></o:p></span></p>
</div>
</blockquote>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal" style="margin-left:2.0in"><span lang="EN-GB" style="font-size:12.0pt;font-family:"Times New Roman","serif"">_______________________________________________<br>
Xerte-dev mailing list<br>
<a href="mailto:Xerte-dev@lists.nottingham.ac.uk">Xerte-dev@lists.nottingham.ac.uk</a><br>
<a href="http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev">http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev</a><o:p></o:p></span></p>
</div>
</blockquote>
<p class="MsoNormal" style="margin-left:2.0in"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><br>
</span><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:gray">Glasgow Caledonian University is a registered Scottish charity, number SC021474<br>
<br>
Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.<br>
<a href="http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html">http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html</a><br>
<br>
Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.<br>
<a href="http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html">http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html</a></span><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.5in"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><br>
</span><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:gray">Glasgow Caledonian University is a registered Scottish charity, number SC021474<br>
<br>
Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.<br>
<a href="http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html">http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html</a><br>
<br>
Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.<br>
<a href="http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html">http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html</a></span><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:1.0in"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><br>
</span><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:gray">Glasgow Caledonian University is a registered Scottish charity, number SC021474<br>
<br>
Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.<br>
<a href="http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html">http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html</a><br>
<br>
Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.<br>
<a href="http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html">http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html</a></span><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><br>
</span><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:gray">Glasgow Caledonian University is a registered Scottish charity, number SC021474<br>
<br>
Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.<br>
<a href="http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html">http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html</a><br>
<br>
Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.<br>
<a href="http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html">http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html</a></span><span style="font-size:12.0pt;font-family:"Times New Roman","serif""><o:p></o:p></span></p>
</div>
<br>
<font face="Arial" color="Gray" size="2">Glasgow Caledonian University is a registered Scottish charity, number SC021474<br>
<br>
Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.<br>
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html<br>
<br>
Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.<br>
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html<br>
</font>
</body>
</html>