<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>With mime type warnings?</div><div><br></div><div>Security settings?</div><div><br></div><div>I'd suggest putting mimetype checking in the upload, but not sure you want it more secure</div><div><br>On 22 May 2013, at 12:48, Julian Tenney <<a href="mailto:Julian.Tenney@nottingham.ac.uk">Julian.Tenney@nottingham.ac.uk</a>> wrote:<br><br></div><blockquote type="cite"><div><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="Generator" content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--><div class="WordSection1"><p class="MsoNormal"><span style="color:#1F497D">It works in Firefox, Chrome and IE…<o:p></o:p></span></p><p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p><div><div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm"><p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> <a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">xerte-dev-bounces@lists.nottingham.ac.uk</a> [<a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">mailto:xerte-dev-bounces@lists.nottingham.ac.uk</a>] <b>On Behalf Of </b>Pat @ Pgogy <br><b>Sent:</b> 22 May 2013 12:25<br><b>To:</b> For Xerte technical developers<br><b>Subject:</b> [Xerte-dev] Re: Upload and security<o:p></o:p></span></p></div></div><p class="MsoNormal"><o:p> </o:p></p><div><p class="MsoNormal">I would expect some browsers will bork at that<o:p></o:p></p></div><div><p class="MsoNormal" style="margin-bottom:12.0pt"><br>On 22 May 2013, at 12:05, Julian Tenney <<a href="mailto:Julian.Tenney@nottingham.ac.uk">Julian.Tenney@nottingham.ac.uk</a>> wrote:<o:p></o:p></p></div><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"><div><p class="MsoNormal"><span style="color:#1F497D"><script src=<a href="http://www.nottingham.ac.uk/toolkits/blah/myScript.jpg">http://www.nottingham.ac.uk/toolkits/blah/myScript.jpg</a>/></span><o:p></o:p></p><p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p><div><div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm"><p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> <a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">xerte-dev-bounces@lists.nottingham.ac.uk</a> [<a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">mailto:xerte-dev-bounces@lists.nottingham.ac.uk</a>] <b>On Behalf Of </b>Pat @ Pgogy <br><b>Sent:</b> 22 May 2013 11:34<br><b>To:</b> For Xerte technical developers<br><b>Subject:</b> [Xerte-dev] Re: Upload and security</span><o:p></o:p></p></div></div><p class="MsoNormal"> <o:p></o:p></p><div><p class="MsoNormal">Disguise in what way?<o:p></o:p></p></div><div><p class="MsoNormal" style="margin-bottom:12.0pt"><br>On 22 May 2013, at 11:01, Julian Tenney <<a href="mailto:Julian.Tenney@nottingham.ac.uk">Julian.Tenney@nottingham.ac.uk</a>> wrote:<o:p></o:p></p></div><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"><div><p class="MsoNormal"><span style="color:#1F497D">Is it the case now that only logged in users can run anything through upload.php?</span><o:p></o:p></p><p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p><p class="MsoNormal"><span style="color:#1F497D">Otherwise it’s not just javascript you can disguise, but anything else. I’d be happy with uploading javascript being limited to authorised users, it’s people clobbering the system from outside that worries me.</span><o:p></o:p></p><p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p><div><div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm"><p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> <a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">xerte-dev-bounces@lists.nottingham.ac.uk</a> [<a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">mailto:xerte-dev-bounces@lists.nottingham.ac.uk</a>] <b>On Behalf Of </b>Smith, John<br><b>Sent:</b> 22 May 2013 10:42<br><b>To:</b> For Xerte technical developers<br><b>Subject:</b> [Xerte-dev] Re: Upload and security</span><o:p></o:p></p></div></div><p class="MsoNormal"> <o:p></o:p></p><p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">.js extension is in the blacklist but as Julian has proved it is a bit pointless…</span><o:p></o:p></p><p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><o:p></o:p></p><p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">What we need is to whitelist and do some form of mime detection, but I’ve not been able to get anything working reliably yet…</span><o:p></o:p></p><div><p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><o:p></o:p></p><p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Regards,</span><o:p></o:p></p><p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><o:p></o:p></p><p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">John Smith</span><o:p></o:p></p><p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Learning Technologist</span><o:p></o:p></p><p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">School of Health & Life Sciences</span><o:p></o:p></p><p class="MsoNormal"><span lang="EN-US" style="color:#1F497D">Glasgow Caledonian University</span><o:p></o:p></p></div><p class="MsoNormal"><span lang="EN-US" style="color:#1F497D"> </span><o:p></o:p></p><div><div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm"><p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> <a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">xerte-dev-bounces@lists.nottingham.ac.uk</a> [<a href="mailto:xerte-dev-bounces@lists.nottingham.ac.uk">mailto:xerte-dev-bounces@lists.nottingham.ac.uk</a>] <b>On Behalf Of </b>Pat @ Pgogy <br><b>Sent:</b> Wednesday, May 22, 2013 9:59 AM<br><b>To:</b> For Xerte technical developers<br><b>Subject:</b> [Xerte-dev] Re: Upload and security</span><o:p></o:p></p></div></div><p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p><div><p class="MsoNormal"><span lang="EN-US">JavaScript is in the banned list I think</span><o:p></o:p></p></div><div><p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p></div><div><p class="MsoNormal"><span lang="EN-US">I'd ask what you want the bootstrap to be - a mini website for Non-techies or a sort of techie play space?</span><o:p></o:p></p></div><div><p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p></div><div><p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p></div><div><p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="EN-US"><br>On 21 May 2013, at 10:00, Julian Tenney <<a href="mailto:Julian.Tenney@nottingham.ac.uk">Julian.Tenney@nottingham.ac.uk</a>> wrote:</span><o:p></o:p></p></div><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"><div><p class="MsoNormal"><span lang="EN-US">Just reprising a recent conversation about uploading javascript. You guys weren’t keen. I just uploaded a txt file with javascript in it, loaded via a script tag in the bootstrap template and it – of course – executes, but we knew that anyway.</span><o:p></o:p></p><p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p><p class="MsoNormal"><span lang="EN-US">Is it the case that only authorised users – those logged in – can get anything through upload.php? Should authorised users be able to upload javascript?</span><o:p></o:p></p><p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p><p class="MsoNormal"><span lang="EN-US">Second and slightly related question, playing around with the bootstrap template wizard: I got it adding canvas, and thought about other userful building blocks for developers. You could define them in a text icon <canvas width=”500” height=”350”/> and then script them from a script icon, so are we gaining anything at the expense of confusing users who don’t know what scripts and canvases do? I just though ‘well, where does it end? Divs, styles, etc’ and we can do it all with text anyway. But in looking at some of this stuff, it would really be handy to be able to upload scripts, because writing anything more than trivial in the wizard is going to be gribbly.</span><o:p></o:p></p><p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p><p class="MsoNormal"><span lang="EN-US">What do you think?</span><o:p></o:p></p><p class="MsoNormal"><span lang="EN-US"> </span><o:p></o:p></p><p class="MsoNormal"><span lang="EN-US"><image001.png></span><o:p></o:p></p></div></blockquote><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"><div><p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"Times New Roman","serif"">_______________________________________________<br>Xerte-dev mailing list<br><a href="mailto:Xerte-dev@lists.nottingham.ac.uk">Xerte-dev@lists.nottingham.ac.uk</a><br><a href="http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev">http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev</a></span><o:p></o:p></p></div></blockquote><p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"Times New Roman","serif""> </span><o:p></o:p></p><p><span lang="EN-US">This message and any attachment are intended solely for the addressee and may contain confidential information. If you have received this message in error, please send it back to me, and immediately delete it. Please do not use, copy or disclose the information contained in this message or in any attachment. Any views or opinions expressed by the author of this email do not necessarily reflect the views of the University of Nottingham.</span><o:p></o:p></p><p><span lang="EN-US">This message has been checked for viruses but the contents of an attachment may still contain software viruses which could damage your computer system, you are advised to perform your own checks. Email communications with the University of Nottingham may be monitored as permitted by UK legislation.</span><o:p></o:p></p><p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"Times New Roman","serif""> </span><o:p></o:p></p><p class="MsoNormal"><span lang="EN-US" style="font-size:12.0pt;font-family:"Times New Roman","serif""><br></span><span lang="EN-US" style="font-size:10.0pt;font-family:"Arial","sans-serif";color:gray">Glasgow Caledonian University is a registered Scottish charity, number SC021474<br><br>Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.<br><a href="http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html">http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html</a><br><br>Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.<br><a href="http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html">http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html</a></span><o:p></o:p></p></div></blockquote><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"><div><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">_______________________________________________<br>Xerte-dev mailing list<br><a href="mailto:Xerte-dev@lists.nottingham.ac.uk">Xerte-dev@lists.nottingham.ac.uk</a><br><a href="http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev">http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev</a></span><o:p></o:p></p></div></blockquote></div></blockquote><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"><div><p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">_______________________________________________<br>Xerte-dev mailing list<br><a href="mailto:Xerte-dev@lists.nottingham.ac.uk">Xerte-dev@lists.nottingham.ac.uk</a><br><a href="http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev">http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev</a><o:p></o:p></span></p></div></blockquote></div></div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Xerte-dev mailing list</span><br><span><a href="mailto:Xerte-dev@lists.nottingham.ac.uk">Xerte-dev@lists.nottingham.ac.uk</a></span><br><span><a href="http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev">http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev</a></span><br></div></blockquote></body></html>