[Xerte-dev] Re: SECURITY PATCH for upload.php
Tom Reijnders
reijnders at tor.nl
Mon Mar 25 17:50:03 GMT 2013
If the buttons don't refresh properly, it is due to my changes with the
buttons.
I replaced all image buttons by html buttons. That should be in SVN 727,
but I can see it's not in this one (the links should be buttons as well
as shown below.
Am I using the correct jsic xot?
Tom
Op 25-3-2013 18:09, Ron Mitchell schreef:
>
> Hi John
>
> I've just updated the Techdis /xot install to R734 which obviously
> uses Moodle authentication and uploading via a graphics and sound page
> seems to work fine now whereas as you know it didn't before.
>
> However I'm not sure whether it's due to your update or the recent
> update by others but I notice that there's now no state change on the
> workspace buttons when a project is selected e.g. they still work but
> remain greyed out
>
> HTH
>
> Ron
>
> -----Original Message-----
> From: xerte-dev-bounces at lists.nottingham.ac.uk
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
> Sent: 25 March 2013 16:02
> To: For Xerte technical developers
> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> Hi all,
>
> Sorry it's been a while getting to this again but I seem to have made
> some headway.
>
> I've been able to figure out how to jump start the Moodle session also
> in upload.php and it has worked in my tests but would love to see how
> it fares in the real world. Would someone be able to test this for me?
> I've committed changed (some to edit.php too) as R734.
>
> Regards,
>
> John Smith
>
> Learning Technologist
>
> School of Health & Life Sciences
>
> Glasgow Caledonian University
>
> -----Original Message-----
>
> From: xerte-dev-bounces at lists.nottingham.ac.uk
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
>
> Sent: Friday, March 15, 2013 11:39 AM
>
> To: For Xerte technical developers
>
> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> Worth a try!! So we have to support Firefox AND Moodle - there's that
> wagging dog again ;-)
>
> Leave it with me - once I get moodle integration working I'll take a
> look at the moodle session and see if we do anything...
>
> Regards,
>
> John Smith
>
> Learning Technologist
>
> School of Health & Life Sciences
>
> Glasgow Caledonian University
>
> -----Original Message-----
>
> From: xerte-dev-bounces at lists.nottingham.ac.uk
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian
> Tenney
>
> Sent: Friday, March 15, 2013 11:21 AM
>
> To: For Xerte technical developers
>
> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> No, we have to support Firefox, but you know that already!
>
> -----Original Message-----
>
> From: xerte-dev-bounces at lists.nottingham.ac.uk
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
>
> Sent: 15 March 2013 10:14
>
> To: xerte-dev at lists.nottingham.ac.uk
> <mailto:xerte-dev at lists.nottingham.ac.uk>
>
> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> True but Moodle is a red herring here...
>
> The problem is Firefox - it is the tail... If you can live without
> Firefox being supported, only in the editor, then we can probably keep
> Moodle auth as is...
>
> Depends who you want to keep happiest...
>
> Regards
>
> John Smith
>
> Learning Technologist
>
> School of Health and Life Sciences
>
> Sent from Samsung Galaxy SII
>
> Julian Tenney <Julian.Tenney at nottingham.ac.uk
> <mailto:Julian.Tenney at nottingham.ac.uk>> wrote:
>
> Hmm. Keen not to have a 'tail wags dog' thing here, if moodle is the
> problem, then I think that's what we should fix.
>
> -----Original Message-----
>
> From: xerte-dev-bounces at lists.nottingham.ac.uk
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
>
> Sent: 15 March 2013 09:10
>
> To: xerte-dev at lists.nottingham.ac.uk
> <mailto:xerte-dev at lists.nottingham.ac.uk>
>
> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> The way the Moodle authentication works - its so complicated that
> there is no way to restart it in upload when we are using Firefox...
> The upload script as reported by Ron does work as long as we're not
> using Moodle
>
> As i said we can check for Moodle auth and simply not check for
> session but that still leaves a gaping hole...
>
> Bootstrapping the upload via js 'should' allow config.php to handle
> the session as it does on other pages...
>
> Regards
>
> John Smith
>
> Learning Technologist
>
> School of Health and Life Sciences
>
> Sent from Samsung Galaxy SII
>
> Julian Tenney <Julian.Tenney at nottingham.ac.uk
> <mailto:Julian.Tenney at nottingham.ac.uk>> wrote:
>
> So is the problem the upload script, or the way the moodle
> authentication works?
>
> -----Original Message-----
>
> From: xerte-dev-bounces at lists.nottingham.ac.uk
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
>
> Sent: 14 March 2013 16:41
>
> To: For Xerte technical developers
>
> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> Yes, Flash seems to already add &sessionid to the end of the query
> string and if I take that and use session_id(querystringsessionid)
> before calling session_start() then it works...
>
> If I rely on the session start in config.php then it doesn't execute
> if using moodle authentication and so the session check fails...
>
> Just thought though that I was still checking the xerte session
> variable whereas if I can find a moodle one to check then it 'might'
> still work...
>
> Only problem is that I don't have a working moodle install?!? Well I
> do - on a pen drive copied from someone in Nottingham (Thomas?) but I
> don't know the password to login to moodle... was there a default
> password?? anyone??
>
> Regards,
>
> John Smith
>
> Learning Technologist
>
> School of Health & Life Sciences
>
> Glasgow Caledonian University
>
> -----Original Message-----
>
> From: xerte-dev-bounces at lists.nottingham.ac.uk
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian
> Tenney
>
> Sent: Thursday, March 14, 2013 4:24 PM
>
> To: For Xerte technical developers
>
> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> Is it the case that you got it working in all browsers EXCEPT when
> using moodle authentication?
>
> -----Original Message-----
>
> From: xerte-dev-bounces at lists.nottingham.ac.uk
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
>
> Sent: 14 March 2013 16:22
>
> To: For Xerte technical developers
>
> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> I'm sure if upload.php knows that it's Firefox and then checks the
> authentication method then it can set the passed session id IF NOT
> moodle but then we might have to bypass the session check if not
> Moodle... not really a solution...
>
> I think we might have to resort to js though...
>
> Regards,
>
> John Smith
>
> Learning Technologist
>
> School of Health & Life Sciences
>
> Glasgow Caledonian University
>
> -----Original Message-----
>
> From: xerte-dev-bounces at lists.nottingham.ac.uk
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian
> Tenney
>
> Sent: Thursday, March 14, 2013 4:12 PM
>
> To: For Xerte technical developers
>
> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> Do you think we should take Flash out of the picture and call some JS
> from the wizard swf? We can still do some sort of progress /
> notification stuff I think. All you need to pass to upload is the
> file's path on the local machine, right?
>
> This has got to be sortable though, surely, but if it's gribbly and
> there's an alternative, let's do that.
>
> -----Original Message-----
>
> From: xerte-dev-bounces at lists.nottingham.ac.uk
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
>
> Sent: 13 March 2013 11:30
>
> To: xerte-dev at lists.nottingham.ac.uk
> <mailto:xerte-dev at lists.nottingham.ac.uk>
>
> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> Hi Pat
>
> Yeah its the Firefox Flash Cookie thing that's the real ball
> breaker... we are still including config.php BUT...
>
> If we are in Firefox and include config.php before setting the session
> id then when config starts session we get a new session id
>
> Until we start session in upload.php though we can't tell if we are in
> firefox or using moodle..
>
> I suppose we can add some more complex logic as you say which checks
> what authentication method we are using and does whatever is
> required... We might need to indicate from flash though what browser
> we are using otherwise we might still miss one of the option - Using
> Firefox with moodle authentication i think cannot be detected at
> present...
>
> Regards
>
> John Smith
>
> Learning Technologist
>
> School of Health and Life Sciences
>
> Sent from Samsung Galaxy SII
>
> "Pat @ Pgogy" <xerte at pgogywebstuff.com
> <mailto:xerte at pgogywebstuff.com>> wrote:
>
> Try including config.php or doing a MySQL select db back to the xerte
> db, that fixed most of the moodle problems before
>
> Pgogy Webstuff - http://www.pgogywebstuff.com Makers of web things of
> a fair to middling quality
>
> On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk
> <mailto:J.J.Smith at gcu.ac.uk>> wrote:
>
> > Hi Ron,
>
> >
>
> > Hmmm there is some session restart code although it should be
> restarting the same session as the session id is being passed from
> Flash... I wonder why it's killing Moodle session though and none of
> the others... very strange - i'll revert the changes back while we
> investigate...damn though we had almost cracked it...
>
> >
>
> > Regards,
>
> >
>
> > John Smith | Learning Technologist
>
> > Room A251, Govan Mbeki Building | School of Health & Life Sciences |
>
> > Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA
>
> > ________________________________________
>
> > From: xerte-dev-bounces at lists.nottingham.ac.uk
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
>
> > [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell
>
> > [ronm at mitchellmedia.co.uk]
>
> > Sent: 12 March 2013 20:31
>
> > To: 'For Xerte technical developers'
>
> > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> >
>
> > Hi John
>
> > I tested further and the issue only seems to occur with Moodle
> authentication enabled. Uploading works fine with guest authentication
> and static authentication I can't easily test LDAP authentication.
>
> >
>
> > So I guess this is either session related or a js clash?
>
> >
>
> > Have you added any session start code that's perhaps killing the
> Moodle session? You have access to the /xot install to check js via
> console etc and I've set it back to use Moodle authentication so at
> the moment it's easy to replicate the issue.
>
> >
>
> > I know this probably going to raise the old chestnut about Moodle
> integration etc but obviously all worked fine prior to the recent
> changes and does when reverting back too.
>
> >
>
> > Cheers
>
> > Ron
>
> >
>
> > -----Original Message-----
>
> > From: xerte-dev-bounces at lists.nottingham.ac.uk
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
>
> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron
>
> > Mitchell
>
> > Sent: 12 March 2013 20:17
>
> > To: 'For Xerte technical developers'
>
> > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> >
>
> > Hi John
>
> > Alistair reported that it was happening with Chrome and IE. I'm not
> sure what browser Simon was using but I tested via IE9 and was able to
> reproduce. But...
>
> >
>
> > I'm almost hesitant to mention this...
>
> >
>
> > I'd updated my own install which worked fine so I started thinking
> about what the differences are and apart from server differences a key
> difference is that the Techdis installs are using Moodle for
> authentication. I switched the xot install to guest and still got the
> problem. I then removed the integration path via management, logged
> back in and was able to upload ok. I then switched back to Moodle
> authentication and put the integration path back in and was still able
> to upload. So intermittent results at the moment but it does seem like
> it could be session related. I'm only online until about 9pm tonight
> but will test further and again in the morning.
>
> >
>
> > Cheers
>
> > Ron
>
> >
>
> > -----Original Message-----
>
> > From: xerte-dev-bounces at lists.nottingham.ac.uk
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
>
> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith,
>
> > John
>
> > Sent: 12 March 2013 19:56
>
> > To: xerte-dev at lists.nottingham.ac.uk
> <mailto:xerte-dev at lists.nottingham.ac.uk>
>
> > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> >
>
> > Hi Ron
>
> >
>
> > Do you know if this is using Firefox or one of the other browsers?
> I've tested it using several of the models (albeit on Xampp - not sure
> what setup Julian tested it on) in the 3 mainstream browsers and it's
> been working fine, except for the erroneous messages which we are
> still trying to figure out the best way to catch them in Flash...
>
> >
>
> > I'll patch one in an hour or so and if you could try it out then it
> might give us a clue as to whether its the session problem or
> something else...
>
> >
>
> > Regards
>
> >
>
> > John Smith
>
> > Learning Technologist
>
> > School of Health and Life Sciences
>
> >
>
> > Sent from Samsung Galaxy SII
>
> >
>
> >
>
> >
>
> > Ron Mitchell <ronm at mitchellmedia.co.uk
> <mailto:ronm at mitchellmedia.co.uk>> wrote:
>
> >
>
> >
>
> > Hi
>
> > sorry been quiet for a week or so (on holiday) but back now and
> updated the Techdis installations from svn (not sandpit) and Alistair
> and Simon reported issues with uploading images. I reverted one
> installation back and that worked again but I've left the latest code
> in the /xot test install which doesn't work. Basically uploads seem to
> work ok via media & quota but not via a graphics and sound page for
> instance. The image appears to upload and an upload successful prompt
> appears but the image doesn't actually upload. Any ideas?
>
> > Ron
>
> >
>
> > From: xerte-dev-bounces at lists.nottingham.ac.uk
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk>
>
> > [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian
>
> > Tenney
>
> > Sent: 11 March 2013 16:18
>
> > To: For Xerte technical developers
>
> > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> >
>
> >
>
> > There's no more detail: here's a screenshot showing the code and the
> relevant events to the left. onComplete means 'successfully uploaded',
> so the answer will lie in the upload.php and whether, if uploading
> fails, it's reflected back in the Flash stuff.
>
> >
>
> >
>
> >
>
> > I've added some alerts for now so you can see what gets tripped, we
>
> > can take these out later, and I've commited the wizard with these in ,
>
> >
>
> >
>
> >
>
> > listener.onComplete = function(file:FileReference):Void {
>
> >
>
> >
>
> >
>
> > Alert.show("Upload successful");
>
> >
>
> >
>
> >
>
> > --etc--
>
> >
>
> >
>
> >
>
> > }
>
> >
>
> >
>
> >
>
> >
>
> >
>
> > listener.onHTTPError = function(file:FileReference):Void {
>
> >
>
> >
>
> >
>
> > Alert.show("Upload failed: HTTPError");
>
> >
>
> >
>
> >
>
> > --etc--
>
> >
>
> >
>
> >
>
> > }
>
> >
>
> >
>
> >
>
> > listener.onIOError = function(file:FileReference):Void {
>
> >
>
> >
>
> >
>
> > Alert.show("Upload failed: IOError");
>
> >
>
> >
>
> >
>
> > --etc--
>
> >
>
> >
>
> >
>
> > }
>
> >
>
> > listener.onSecurityError = function(file:FileReference,
>
> > errorString:String):Void {
>
> >
>
> >
>
> >
>
> > Alert.show("Upload failed: Security Error");
>
> >
>
> >
>
> >
>
> > --etc--
>
> >
>
> >
>
> >
>
> > }
>
> >
>
> >
>
> >
>
> > -----Original Message-----
>
> > From:
>
> >
> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list>
>
> > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk]
>
> > On Behalf Of Smith, John
>
> > Sent: 11 March 2013 15:42
>
> > To: For Xerte technical developers
>
> > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> >
>
> >
>
> >
>
> > Are you using FileReference class? This code snippet suggests you can
>
> > extract data from the DataEvent object in the UPLOAD_COMPLETE_DATA
>
> > with var strData:String = StringUtil.trim(evt.data);
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> > private function init():void {
>
> >
>
> > fileRef = new FileReference();
>
> >
>
> > fileRef.addEventListener(Event.SELECT, fileRef_select);
>
> >
>
> > fileRef.addEventListener(Event.COMPLETE,
>
> > fileRef_complete);
>
> >
>
> > fileRef.addEventListener(IOErrorEvent.IO_ERROR,
>
> > fileRef_ioError);
>
> >
>
> >
>
> > fileRef.addEventListener(DataEvent.UPLOAD_COMPLETE_DATA,
>
> > fileRef_uploadCompleteData);
>
> >
>
> >
>
> >
>
> > urlReq = new URLRequest();
>
> >
>
> > urlReq.url =
>
> > "http://localhost:8300/fileref/uploader.cfm";
>
> >
>
> > }
>
> >
>
> >
>
> >
>
> > private function
>
> > fileRef_uploadCompleteData(evt:DataEvent):void {
>
> >
>
> > var strData:String = StringUtil.trim(evt.data);
>
> >
>
> > var vars:URLVariables = new URLVariables(strData);
>
> >
>
> > Alert.show(vars.fileName, "fileName");
>
> >
>
> > }
>
> >
>
> >
>
> >
>
> >
>
> >
>
> > Regards,
>
> >
>
> >
>
> >
>
> > John Smith
>
> >
>
> > Learning Technologist
>
> >
>
> > School of Health & Life Sciences
>
> >
>
> > Glasgow Caledonian University
>
> >
>
> >
>
> >
>
> >
>
> >
>
> > -----Original Message-----
>
> >
>
> > From:
>
> >
> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list>
>
> > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk]
>
> > On Behalf Of Smith, John
>
> >
>
> > Sent: Monday, March 11, 2013 3:19 PM
>
> >
>
> > To: For Xerte technical developers
>
> >
>
> > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> >
>
> >
>
> >
>
> > Yeah it should because the upload page completes... you could try
> sticking a number in the exit function for the blacklist and see if
> you can get the number, exit(5); for example...
>
> >
>
> >
>
> >
>
> > At least the session bit seems to work... I've taken out all the
> whitelist code and mimetype stuff just now but I have another upload
> file I'm working on which attempts to detect the mimetype using
> several techniques contained in drupal and wordpress modules - will
> let you know if it pans out...
>
> >
>
> >
>
> >
>
> > Regards,
>
> >
>
> >
>
> >
>
> > John Smith
>
> >
>
> > Learning Technologist
>
> >
>
> > School of Health & Life Sciences
>
> >
>
> > Glasgow Caledonian University
>
> >
>
> >
>
> >
>
> >
>
> >
>
> > -----Original Message-----
>
> >
>
> > From:
>
> >
> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list>
>
> > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk]
>
> > On Behalf Of Julian Tenney
>
> >
>
> > Sent: Monday, March 11, 2013 2:32 PM
>
> >
>
> > To: For Xerte technical developers
>
> >
>
> > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> >
>
> >
>
> >
>
> > If I try and upload php files, onComplete still fires...
>
> >
>
> >
>
> >
>
> > -----Original Message-----
>
> >
>
> > From:
>
> >
> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list>
>
> > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk]
>
> > On Behalf Of Julian Tenney
>
> >
>
> > Sent: 11 March 2013 14:27
>
> >
>
> > To: For Xerte technical developers
>
> >
>
> > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> >
>
> >
>
> >
>
> > Hold on, I'll see if I can get the events to trip,
>
> >
>
> >
>
> >
>
> > -----Original Message-----
>
> >
>
> > From:
>
> >
> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list>
>
> > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk]
>
> > On Behalf Of Smith, John
>
> >
>
> > Sent: 11 March 2013 14:20
>
> >
>
> > To: For Xerte technical developers
>
> >
>
> > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> >
>
> >
>
> >
>
> > Yeah, it's the Flash end... didn't seem to be doing anything no
> matter the content of the php PRINT statements so I just removed them
> for brevity... They were all in English anyway...
>
> >
>
> >
>
> >
>
> > Regards,
>
> >
>
> >
>
> >
>
> > John Smith
>
> >
>
> > Learning Technologist
>
> >
>
> > School of Health & Life Sciences
>
> >
>
> > Glasgow Caledonian University
>
> >
>
> >
>
> >
>
> >
>
> >
>
> > -----Original Message-----
>
> >
>
> > From:
>
> >
> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list>
>
> > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk]
>
> > On Behalf Of Smith, John
>
> >
>
> > Sent: Monday, March 11, 2013 1:57 PM
>
> >
>
> > To: For Xerte technical developers
>
> >
>
> > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> >
>
> >
>
> >
>
> > No way to receive whether the upload was successful or not?
>
> >
>
> >
>
> >
>
> > Regards,
>
> >
>
> >
>
> >
>
> > John Smith
>
> >
>
> > Learning Technologist
>
> >
>
> > School of Health & Life Sciences
>
> >
>
> > Glasgow Caledonian University
>
> >
>
> >
>
> >
>
> >
>
> >
>
> > -----Original Message-----
>
> >
>
> > From:
>
> >
> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list>
>
> > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk]
>
> > On Behalf Of Julian Tenney
>
> >
>
> > Sent: Monday, March 11, 2013 1:48 PM
>
> >
>
> > To: For Xerte technical developers
>
> >
>
> > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> >
>
> >
>
> >
>
> > I'm not sure you can do much with that class, it's just a black box.
>
> >
>
> >
>
> >
>
> > -----Original Message-----
>
> >
>
> > From:
>
> >
> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list>
>
> > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk]
>
> > On Behalf Of Smith, John
>
> >
>
> > Sent: 11 March 2013 13:33
>
> >
>
> > To: For Xerte technical developers
>
> >
>
> > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> >
>
> >
>
> >
>
> > Perhaps it should just feedback error codes, and the flash class
> translates them...
>
> >
>
> >
>
> >
>
> > Regards,
>
> >
>
> >
>
> >
>
> > John Smith
>
> >
>
> > Learning Technologist
>
> >
>
> > School of Health & Life Sciences
>
> >
>
> > Glasgow Caledonian University
>
> >
>
> >
>
> >
>
> >
>
> >
>
> > -----Original Message-----
>
> >
>
> > From:
>
> >
> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list>
>
> > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk]
>
> > On Behalf Of Julian Tenney
>
> >
>
> > Sent: Monday, March 11, 2013 1:21 PM
>
> >
>
> > To: For Xerte technical developers
>
> >
>
> > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> >
>
> >
>
> >
>
> > NO, I forget the details but there is a flash player class that does
> the upload thing. I'll give it a whirl.
>
> >
>
> >
>
> >
>
> > -----Original Message-----
>
> >
>
> > From:
>
> >
> xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at list
> <mailto:xerte-dev-bounces at lists.nottingham.ac.uk%3cmailto:xerte-dev-bounces at list>
>
> > s.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk]
>
> > On Behalf Of Smith, John
>
> >
>
> > Sent: 11 March 2013 12:45
>
> >
>
> > To: For Xerte technical developers
>
> >
>
> > Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php
>
> >
>
> >
>
> >
>
> > Hi Julian, give that a try... Does the flash editor do anything with
> the returned/echoed text? I've taken them out because they didn't
> seem to be doing anything in the Flash end and they could give hints
> to a hacker as to why their attempt was quashed...
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> > Glasgow Caledonian University is a registered Scottish charity, number
>
> > SC021474
>
> >
>
> > Winner: Times Higher Education's Widening Participation Initiative
> of the Year 2009 and Herald Society's Education Initiative of the Year
> 2009.
>
> > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6
>
> > 219,en.html
>
> >
>
> > Winner: Times Higher Education's Outstanding Support for Early
> Career Researchers of the Year 2010, GCU as a lead with Universities
> Scotland partners.
>
> > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1
>
> > 5691,en.html _______________________________________________
>
> > Xerte-dev mailing list
>
> > Xerte-dev at lists.nottingham.ac.uk
> <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> >
>
> >
>
> > _______________________________________________
>
> > Xerte-dev mailing list
>
> > Xerte-dev at lists.nottingham.ac.uk
> <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> >
>
> >
>
> > _______________________________________________
>
> > Xerte-dev mailing list
>
> > Xerte-dev at lists.nottingham.ac.uk
> <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> >
>
> > Glasgow Caledonian University is a registered Scottish charity, number
>
> > SC021474
>
> >
>
> > Winner: Times Higher Education's Widening Participation Initiative
> of the Year 2009 and Herald Society's Education Initiative of the Year
> 2009.
>
> > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6
>
> > 219,en.html
>
> >
>
> > Winner: Times Higher Education's Outstanding Support for Early
> Career Researchers of the Year 2010, GCU as a lead with Universities
> Scotland partners.
>
> > http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,1
>
> > 5691,en.html
>
> >
>
> > _______________________________________________
>
> > Xerte-dev mailing list
>
> > Xerte-dev at lists.nottingham.ac.uk
> <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> > http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> > This message and any attachment are intended solely for the
> addressee and may contain confidential information. If you have
> received this message in error, please send it back to me, and
> immediately delete it. Please do not use, copy or disclose the
> information contained in this message or in any attachment. Any views
> or opinions expressed by the author of this email do not necessarily
> reflect the views of the University of Nottingham.
>
> >
>
> > This message has been checked for viruses but the contents of an
>
> > attachment may still contain software viruses which could damage
> your computer system:
>
> > you are advised to perform your own checks. Email communications with
>
> > the University of Nottingham may be monitored as permitted by UK
> legislation.
>
> _______________________________________________
>
> Xerte-dev mailing list
>
> Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> Glasgow Caledonian University is a registered Scottish charity, number
> SC021474
>
> Winner: Times Higher Education's Widening Participation Initiative of
> the Year 2009 and Herald Society's Education Initiative of the Year 2009.
>
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
>
> Winner: Times Higher Education's Outstanding Support for Early Career
> Researchers of the Year 2010, GCU as a lead with Universities Scotland
> partners.
>
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
>
> _______________________________________________
>
> Xerte-dev mailing list
>
> Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> _______________________________________________
>
> Xerte-dev mailing list
>
> Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> Glasgow Caledonian University is a registered Scottish charity, number
> SC021474
>
> Winner: Times Higher Education's Widening Participation Initiative of
> the Year 2009 and Herald Society's Education Initiative of the Year 2009.
>
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
>
> Winner: Times Higher Education's Outstanding Support for Early Career
> Researchers of the Year 2010, GCU as a lead with Universities Scotland
> partners.
>
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
>
> _______________________________________________
>
> Xerte-dev mailing list
>
> Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> _______________________________________________
>
> Xerte-dev mailing list
>
> Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> Glasgow Caledonian University is a registered Scottish charity, number
> SC021474
>
> Winner: Times Higher Education's Widening Participation Initiative of
> the Year 2009 and Herald Society's Education Initiative of the Year 2009.
>
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
>
> Winner: Times Higher Education's Outstanding Support for Early Career
> Researchers of the Year 2010, GCU as a lead with Universities Scotland
> partners.
>
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
>
> _______________________________________________
>
> Xerte-dev mailing list
>
> Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> _______________________________________________
>
> Xerte-dev mailing list
>
> Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> Glasgow Caledonian University is a registered Scottish charity, number
> SC021474
>
> Winner: Times Higher Education's Widening Participation Initiative of
> the Year 2009 and Herald Society's Education Initiative of the Year 2009.
>
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
>
> Winner: Times Higher Education's Outstanding Support for Early Career
> Researchers of the Year 2010, GCU as a lead with Universities Scotland
> partners.
>
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
>
> _______________________________________________
>
> Xerte-dev mailing list
>
> Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> _______________________________________________
>
> Xerte-dev mailing list
>
> Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> Glasgow Caledonian University is a registered Scottish charity, number
> SC021474
>
> Winner: Times Higher Education's Widening Participation Initiative of
> the Year 2009 and Herald Society's Education Initiative of the Year 2009.
>
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
>
> Winner: Times Higher Education's Outstanding Support for Early Career
> Researchers of the Year 2010, GCU as a lead with Universities Scotland
> partners.
>
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
>
> _______________________________________________
>
> Xerte-dev mailing list
>
> Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> _______________________________________________
>
> Xerte-dev mailing list
>
> Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> Glasgow Caledonian University is a registered Scottish charity, number
> SC021474
>
> Winner: Times Higher Education's Widening Participation Initiative of
> the Year 2009 and Herald Society's Education Initiative of the Year 2009.
>
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
>
> Winner: Times Higher Education's Outstanding Support for Early Career
> Researchers of the Year 2010, GCU as a lead with Universities Scotland
> partners.
>
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
>
> _______________________________________________
>
> Xerte-dev mailing list
>
> Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
> Glasgow Caledonian University is a registered Scottish charity, number
> SC021474
>
> Winner: Times Higher Education's Widening Participation Initiative of
> the Year 2009 and Herald Society's Education Initiative of the Year 2009.
>
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html
>
> Winner: Times Higher Education's Outstanding Support for Early Career
> Researchers of the Year 2010, GCU as a lead with Universities Scotland
> partners.
>
> http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html
>
> _______________________________________________
>
> Xerte-dev mailing list
>
> Xerte-dev at lists.nottingham.ac.uk <mailto:Xerte-dev at lists.nottingham.ac.uk>
>
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
>
>
>
> _______________________________________________
> Xerte-dev mailing list
> Xerte-dev at lists.nottingham.ac.uk
> http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev
--
--
Tom Reijnders
TOR Informatica
Chopinlaan 27
5242HM Rosmalen
Tel: 073 5226191
Fax: 073 5226196
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/330ce8f3/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bffhdcbf.png
Type: image/png
Size: 30072 bytes
Desc: not available
URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/330ce8f3/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: iaagegeh.png
Type: image/png
Size: 34026 bytes
Desc: not available
URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/330ce8f3/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 8559 bytes
Desc: not available
URL: <http://lists.nottingham.ac.uk/pipermail/xerte-dev/attachments/20130325/330ce8f3/attachment-0001.jpe>
More information about the Xerte-dev
mailing list