[Xerte-dev] Re: Fixes last night (XOT)
Julian Tenney
Julian.Tenney at nottingham.ac.uk
Tue Mar 6 09:50:48 GMT 2012
I think it can be flagged in the code as potentially useful, if people are concerned about it, but you couldn't manage a white list because we don't know what feeds users are going to try and include in their content. It could prevent access to certain sorts of files maybe?
-----Original Message-----
From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell
Sent: 06 March 2012 08:11
To: 'For Xerte technical developers'
Subject: [Xerte-dev] Re: Fixes last night (XOT)
I added this to the issue page but thought I'd post here too....
Not sure it's practical to have a whitelist - too many potential urls that
users might add to the relevant XOT page and unrealistic for someone with
access to the code or management.php to keep adding new allowed url's upon
request. Isn't there a way to restrict rss_proxy.php so that it can't be
accessed via browser and can only be called from relevant XOT code?
Sorry I might be mis-understanding the risk but in a big college or
University I can't see it being practical to have and manage a whitelist.
HTH
Ron
-----Original Message-----
From: xerte-dev-bounces at lists.nottingham.ac.uk
[mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of David Goodwin
Sent: 06 March 2012 07:38
To: For Xerte technical developers
Subject: [Xerte-dev] Fixes last night (XOT)
Hi
I made some fixes to XOT trunk last night - so you can at least install and
login as a new user. (I did a full install and used demo.php to login).
Again this breakage was due to merging by the looks of it.
The installer will now remove any existing xerte db tables if they exist
before trying to create then.
The installer now tries to strongly suggest to people that they delete the
setup folder. Can we change the installer so it aborts if someone has an
existing database.php file or something so making deletion unnecessary?
(obviously I can code it to - but is this an ok thing to do ?)
I've also created an issue on the google issue tracker covering a security
problem in proxy_rss.php. Does XOT store a list of all remote urls someone
may want to request anywhere so we can have a whitelist of good urls - at
the moment someone can use proxy_rss.php to fetch any remote URL.
Thanks
David
David Goodwin
Pale Purple Ltd.
http://www.palepurple.co.uk
0845 0046746
07792 380669
_______________________________________________
Xerte-dev mailing list
Xerte-dev at lists.nottingham.ac.uk
http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
This message and any attachment are intended solely for the addressee and
may contain confidential information. If you have received this message in
error, please send it back to me, and immediately delete it. Please do not
use, copy or disclose the information contained in this message or in any
attachment. Any views or opinions expressed by the author of this email do
not necessarily reflect the views of the University of Nottingham.
This message has been checked for viruses but the contents of an attachment
may still contain software viruses which could damage your computer system:
you are advised to perform your own checks. Email communications with the
University of Nottingham may be monitored as permitted by UK legislation.
_______________________________________________
Xerte-dev mailing list
Xerte-dev at lists.nottingham.ac.uk
http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
More information about the Xerte-dev
mailing list