[Xerte-dev] Re: SECURITY PATCH for upload.php

Smith, John J.J.Smith at gcu.ac.uk
Mon Mar 25 20:06:11 GMT 2013


Thanks Ron

Hmmm. Its a pesky one to track down... Its working in the xampp zip that you kindly supplied and doesn't when i comment out the code so its definitely doing something...

I had some hefty debug code in and i might add it back in to see what's going on on a real install. What version of Moodle is the Jisc server using? I tested in the v2 one.

Can you remind me of my login details for that sever?

Regards

John Smith
Learning Technologist
School of Health and Life Sciences

Sent from Samsung Galaxy SII



Ron Mitchell <ronm at mitchellmedia.co.uk> wrote:


Hi John
not sure what change it's down to but refreshing doesn't change the button state issue for me. Reverting the code back to a previously working install does though.

I've just tested r734 and upload via graphics and sound works fine with IE9 and Chrome but alas not with Firefox.

HTH
Ron

-----Original Message-----
From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
Sent: 25 March 2013 17:33
To: xerte-dev at lists.nottingham.ac.uk
Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php

Yeah I've only patched edit and upload but i have been seeing similar things...

If you refresh then the buttons should work again. Not sure why but might try debugging later..

As for the upload patch. can you try firefox by clearing cookie logging in again and see if upload works to see whether the cookie bug is fixed?

Thanks Ron.

Regards

John Smith
Learning Technologist
School of Health and Life Sciences

Sent from Samsung Galaxy SII



Ron Mitchell <ronm at mitchellmedia.co.uk> wrote:



Hi John

I've just updated the Techdis /xot install to R734 which obviously uses Moodle authentication and uploading via a graphics and sound page seems to work fine now whereas as you know it didn't before.



However I'm not sure whether it's due to your update or the recent update by others but I notice that there's now no state change on the workspace buttons when a project is selected e.g. they still work but remain greyed out



[cid:_com_android_email_attachmentprovider_1_18220_RAW at sec.galaxytab]



HTH

Ron





-----Original Message-----
From: xerte-dev-bounces at lists.nottingham.ac.uk [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John
Sent: 25 March 2013 16:02
To: For Xerte technical developers
Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php



Hi all,



Sorry it's been a while getting to this again but I seem to have made some headway.



I've been able to figure out how to jump start the Moodle session also in upload.php and it has worked in my tests but would love to see how it fares in the real world. Would someone be able to test this for me? I've committed changed (some to edit.php too) as R734.



Regards,



John Smith

Learning Technologist

School of Health & Life Sciences

Glasgow Caledonian University





-----Original Message-----

From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John

Sent: Friday, March 15, 2013 11:39 AM

To: For Xerte technical developers

Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php



Worth a try!! So we have to support Firefox AND Moodle - there's that wagging dog again ;-)



Leave it with me - once I get moodle integration working I'll take a look at the moodle session and see if we do anything...



Regards,



John Smith

Learning Technologist

School of Health & Life Sciences

Glasgow Caledonian University





-----Original Message-----

From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney

Sent: Friday, March 15, 2013 11:21 AM

To: For Xerte technical developers

Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php



No, we have to support Firefox, but you know that already!



-----Original Message-----

From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John

Sent: 15 March 2013 10:14

To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk>

Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php



True but Moodle is a red herring here...



The problem is Firefox - it is the tail... If you can live without Firefox being supported, only in the editor, then we can probably keep Moodle auth as is...



Depends who you want to keep happiest...



Regards



John Smith

Learning Technologist

School of Health and Life Sciences



Sent from Samsung Galaxy SII







Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote:





Hmm. Keen not to have a 'tail wags dog' thing here, if moodle is the problem, then I think that's what we should fix.



-----Original Message-----

From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John

Sent: 15 March 2013 09:10

To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk>

Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php



The way the Moodle authentication works - its so complicated that there is no way to restart it in upload when we are using Firefox... The upload script as reported by Ron does work as long as we're not using Moodle



As i said we can check for Moodle auth and simply not check for session but that still leaves a gaping hole...



Bootstrapping the upload via js 'should' allow config.php to handle the session as it does on other pages...



Regards



John Smith

Learning Technologist

School of Health and Life Sciences



Sent from Samsung Galaxy SII







Julian Tenney <Julian.Tenney at nottingham.ac.uk<mailto:Julian.Tenney at nottingham.ac.uk>> wrote:





So is the problem the upload script, or the way the moodle authentication works?



-----Original Message-----

From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John

Sent: 14 March 2013 16:41

To: For Xerte technical developers

Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php



Yes, Flash seems to already add &sessionid to the end of the query string and if I take that and use session_id(querystringsessionid) before calling session_start() then it works...



If I rely on the session start in config.php then it doesn't execute if using moodle authentication and so the session check fails...



Just thought though that I was still checking the xerte session variable whereas if I can find a moodle one to check then it 'might' still work...



Only problem is that I don't have a working moodle install?!? Well I do - on a pen drive copied from someone in Nottingham (Thomas?) but I don't know the password to login to moodle... was there a default password?? anyone??



Regards,



John Smith

Learning Technologist

School of Health & Life Sciences

Glasgow Caledonian University





-----Original Message-----

From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney

Sent: Thursday, March 14, 2013 4:24 PM

To: For Xerte technical developers

Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php



Is it the case that you got it working in all browsers EXCEPT when using moodle authentication?





-----Original Message-----

From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John

Sent: 14 March 2013 16:22

To: For Xerte technical developers

Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php



I'm sure if upload.php knows that it's Firefox and then checks the authentication method then it can set the passed session id IF NOT moodle but then we might have to bypass the session check if not Moodle... not really a solution...



I think we might have to resort to js though...



Regards,



John Smith

Learning Technologist

School of Health & Life Sciences

Glasgow Caledonian University





-----Original Message-----

From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Julian Tenney

Sent: Thursday, March 14, 2013 4:12 PM

To: For Xerte technical developers

Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php



Do you think we should take Flash out of the picture and call some JS from the wizard swf? We can still do some sort of progress / notification stuff I think. All you need to pass to upload is the file's path on the local machine, right?



This has got to be sortable though, surely, but if it's gribbly and there's an alternative, let's do that.



-----Original Message-----

From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk> [mailto:xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Smith, John

Sent: 13 March 2013 11:30

To: xerte-dev at lists.nottingham.ac.uk<mailto:xerte-dev at lists.nottingham.ac.uk>

Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php



Hi Pat



Yeah its the Firefox Flash Cookie thing that's the real ball breaker... we are still including config.php BUT...



If we are in Firefox and include config.php before setting the session id then when config starts session we get a new session id



Until we start session in upload.php though we can't tell if we are in firefox or using moodle..



I suppose we can add some more complex logic as you say which checks what authentication method we are using and does whatever is required... We might need to indicate from flash though what browser we are using otherwise we might still miss one of the option - Using Firefox with moodle authentication i think cannot be detected at present...



Regards



John Smith

Learning Technologist

School of Health and Life Sciences



Sent from Samsung Galaxy SII







"Pat @ Pgogy" <xerte at pgogywebstuff.com<mailto:xerte at pgogywebstuff.com>> wrote:





Try including config.php or doing a MySQL select db back to the xerte db, that fixed most of the moodle problems before



Pgogy Webstuff - http://www.pgogywebstuff.com<http://www.pgogywebstuff.com/> Makers of web things of a fair to middling quality



On 12 Mar 2013, at 21:20, "Smith, John" <J.J.Smith at gcu.ac.uk<mailto:J.J.Smith at gcu.ac.uk>> wrote:



> Hi Ron,

>

> Hmmm there is some session restart code although it should be restarting the same session as the session id is being passed from Flash... I wonder why it's killing Moodle session though and none of the others... very strange - i'll revert the changes back while we investigate...damn though we had almost cracked it...

>

> Regards,

>

> John Smith | Learning Technologist

> Room A251, Govan Mbeki Building | School of Health & Life Sciences |

> Glasgow Caledonian University Cowcaddens Road | Glasgow | G4 0BA

> ________________________________________

> From: xerte-dev-bounces at lists.nottingham.ac.uk<mailto:xerte-dev-bounces at lists.nottingham.ac.uk>

> [xerte-dev-bounces at lists.nottingham.ac.uk] On Behalf Of Ron Mitchell

> [ronm at mitchellmedia.co.uk]

> Sent: 12 March 2013 20:31

> To: 'For Xerte technical developers'

> Subject: [Xerte-dev] Re: SECURITY PATCH for upload.php

>

> Hi John

> I tested further and the issue only seems to occur with Moodle authentication enabled. Uploading works fine with guest authentication and static authentication I can't easily test LDAP authentication.

>

> So I guess this is either session related or a js clash?

>

> Have you added any session start code that's perhaps killing the Moodle session? You have access to the /xot install to check js via console etc and I've set it back to use Moodle authentication so at the moment it's easy to replicate the issue.

>

> I know this probably going to raise the old chestnut about Moodle integration etc but obviously all worked fine prior to the recent changes and does when reverting back too.

Glasgow Caledonian University is a registered Scottish charity, number SC021474

Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html

Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html


_______________________________________________
Xerte-dev mailing list
Xerte-dev at lists.nottingham.ac.uk
http://lists.nottingham.ac.uk/mailman/listinfo/xerte-dev

Glasgow Caledonian University is a registered Scottish charity, number SC021474

Winner: Times Higher Education’s Widening Participation Initiative of the Year 2009 and Herald Society’s Education Initiative of the Year 2009.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,6219,en.html

Winner: Times Higher Education’s Outstanding Support for Early Career Researchers of the Year 2010, GCU as a lead with Universities Scotland partners.
http://www.gcu.ac.uk/newsevents/news/bycategory/theuniversity/1/name,15691,en.html


More information about the Xerte-dev mailing list