[Xerte-dev] Re: Fixes last night (XOT)
Pat Lockley
patrick.lockley at googlemail.com
Tue Mar 6 09:54:44 GMT 2012
ok, so rss feeds as well
so if page an RSS page, you can add an "is_xml" check before returning.
On Tue, Mar 6, 2012 at 9:50 AM, Julian Tenney
<Julian.Tenney at nottingham.ac.uk> wrote:
> I think it can be flagged in the code as potentially useful, if people are concerned about it, but you couldn't manage a white list because we don't know what feeds users are going to try and include in their content. It could prevent access to certain sorts of files maybe?
>
> -----Original Message-----
> From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell
> Sent: 06 March 2012 08:11
> To: 'For Xerte technical developers'
> Subject: [Xerte-dev] Re: Fixes last night (XOT)
>
> I added this to the issue page but thought I'd post here too....
>
> Not sure it's practical to have a whitelist - too many potential urls that
> users might add to the relevant XOT page and unrealistic for someone with
> access to the code or management.php to keep adding new allowed url's upon
> request. Isn't there a way to restrict rss_proxy.php so that it can't be
> accessed via browser and can only be called from relevant XOT code?
>
> Sorry I might be mis-understanding the risk but in a big college or
> University I can't see it being practical to have and manage a whitelist.
>
> HTH
> Ron
>
> -----Original Message-----
> From: xerte-dev-bounces at lists.nottingham.ac.uk
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of David Goodwin
> Sent: 06 March 2012 07:38
> To: For Xerte technical developers
> Subject: [Xerte-dev] Fixes last night (XOT)
>
> Hi
>
> I made some fixes to XOT trunk last night - so you can at least install and
> login as a new user. (I did a full install and used demo.php to login).
> Again this breakage was due to merging by the looks of it.
>
> The installer will now remove any existing xerte db tables if they exist
> before trying to create then.
>
> The installer now tries to strongly suggest to people that they delete the
> setup folder. Can we change the installer so it aborts if someone has an
> existing database.php file or something so making deletion unnecessary?
> (obviously I can code it to - but is this an ok thing to do ?)
>
>
> I've also created an issue on the google issue tracker covering a security
> problem in proxy_rss.php. Does XOT store a list of all remote urls someone
> may want to request anywhere so we can have a whitelist of good urls - at
> the moment someone can use proxy_rss.php to fetch any remote URL.
>
> Thanks
> David
>
> David Goodwin
> Pale Purple Ltd.
> http://www.palepurple.co.uk
> 0845 0046746
> 07792 380669
> _______________________________________________
> Xerte-dev mailing list
> Xerte-dev at lists.nottingham.ac.uk
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> This message and any attachment are intended solely for the addressee and
> may contain confidential information. If you have received this message in
> error, please send it back to me, and immediately delete it. Please do not
> use, copy or disclose the information contained in this message or in any
> attachment. Any views or opinions expressed by the author of this email do
> not necessarily reflect the views of the University of Nottingham.
>
> This message has been checked for viruses but the contents of an attachment
> may still contain software viruses which could damage your computer system:
> you are advised to perform your own checks. Email communications with the
> University of Nottingham may be monitored as permitted by UK legislation.
>
>
>
> _______________________________________________
> Xerte-dev mailing list
> Xerte-dev at lists.nottingham.ac.uk
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> _______________________________________________
> Xerte-dev mailing list
> Xerte-dev at lists.nottingham.ac.uk
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
More information about the Xerte-dev
mailing list