Home / Browse / Gallery / Mail / Archive

Gallery

Email Archive: gallery-checkins (read-only)

2004:	_Jan (653)	_Feb (966)	_Mar (929)	_Apr (774)	_May (757)	_Jun (650)	_Jul (1216)	_Aug (1286)	_Sep (980)	_Oct (892)	_Nov (905)	_Dec (663)
2010:	_Jan (226)	_Feb (150)	_Mar (30)	_Apr (34)	_May (19)	_Jun (134)	_Jul (82)	_Aug (106)	_Sep (103)	_Oct (29)	_Nov (62)	_Dec (73)
2012:	_Jan	_Feb (11)	_Mar (3)	_Apr (28)	_May (111)	_Jun (34)	_Jul (15)	_Aug (5)	_Sep (2)	_Oct (8)	_Nov (6)	_Dec (28)
2011:	_Jan (208)	_Feb (4)	_Mar (36)	_Apr (180)	_May (41)	_Jun (20)	_Jul (18)	_Aug (35)	_Sep	_Oct (14)	_Nov (14)	_Dec (11)
2006:	_Jan (3384)	_Feb (2387)	_Mar (2303)	_Apr (853)	_May (168)	_Jun (174)	_Jul (226)	_Aug (303)	_Sep (199)	_Oct (375)	_Nov (315)	_Dec (282)
2007:	_Jan (145)	_Feb (139)	_Mar (301)	_Apr (156)	_May (123)	_Jun (237)	_Jul (83)	_Aug (217)	_Sep (52)	_Oct (82)	_Nov (62)	_Dec (122)
2001:	_Jan	_Feb	_Mar	_Apr	_May	_Jun	_Jul (149)	_Aug (183)	_Sep (113)	_Oct (93)	_Nov (126)	_Dec (23)
2008:	_Jan (88)	_Feb (68)	_Mar (72)	_Apr (29)	_May (53)	_Jun (27)	_Jul (109)	_Aug (167)	_Sep (113)	_Oct (342)	_Nov (555)	_Dec (558)
2002:	_Jan (29)	_Feb (79)	_Mar (72)	_Apr (81)	_May (240)	_Jun (9)	_Jul (33)	_Aug (210)	_Sep (267)	_Oct (272)	_Nov (296)	_Dec (114)
2003:	_Jan (137)	_Feb (204)	_Mar (362)	_Apr (252)	_May (394)	_Jun (507)	_Jul (807)	_Aug (1397)	_Sep (1376)	_Oct (1687)	_Nov (1354)	_Dec (587)
2005:	_Jan (1013)	_Feb (1129)	_Mar (1928)	_Apr (1218)	_May (2883)	_Jun (1684)	_Jul (2325)	_Aug (2931)	_Sep (2002)	_Oct (1297)	_Nov (1368)	_Dec (4965)
2009:	_Jan (414)	_Feb (290)	_Mar (289)	_Apr (134)	_May (319)	_Jun (224)	_Jul (199)	_Aug (93)	_Sep (271)	_Oct (212)	_Nov (163)	_Dec (141)
2013:	_Jan (145)	_Feb (151)	_Mar (177)	_Apr (143)	_May (140)	_Jun (77)	_Jul	_Aug	_Sep	_Oct	_Nov	_Dec

RE: [Gallery-checkins] CVS: gallery/edit album_delete.inc.php,NON E,1.1.2.1 album_general.inc.php,NONE,1.1.2.1 album_highlight.inc.php,NONE ,1.1.2.1 album_move.inc.php,NONE,1.1.2.1 album_move_batch.inc.php,

From: Mediratta, Bharat <bharat@fu...> - 2001-09-18 19:21

Attachments: Message as HTML

> Bad bad idea.  I assume you are doing this to stop people 
> from loading the
> .inc files directly and having a look at the code.  So 
> instead you change
> it so this code gets executed out of context.  That's far worse!

I'll let Chris answer the above part.
 
> The correct way to handle this is to add something like this to your
> .htaccess file:
> 
>   <Files ~ "\.inc$">
>       Order allow,deny
>       Deny from all
>   </Files>

It's not a given that our end user can use .htaccess files.  I
don't have any hard statistics, but I regularly hear from users
who don't have this capability, so all .htaccess use is optional
in Gallery.

-Bharat

From: Rasmus Lerdorf <rasmus@ph...> - 2001-09-18 19:25

> > Bad bad idea.  I assume you are doing this to stop people
> > from loading the
> > .inc files directly and having a look at the code.  So
> > instead you change
> > it so this code gets executed out of context.  That's far worse!
>
> I'll let Chris answer the above part.
>
> > The correct way to handle this is to add something like this to your
> > .htaccess file:
> >
> >   <Files ~ "\.inc$">
> >       Order allow,deny
> >       Deny from all
> >   </Files>
>
> It's not a given that our end user can use .htaccess files.  I
> don't have any hard statistics, but I regularly hear from users
> who don't have this capability, so all .htaccess use is optional
> in Gallery.

Then also have an option to place the .inc files outside of the
document_root.

-Rasmus

Re: [Gallery-checkins] CVS: gallery/edit album_delete.inc.php,NON E,1.1.2.1 album_general.inc.php,NONE,1.1.2.1 album_highlight.inc.php,NONE ,1.1.2.1 album_move.inc.php,NONE,1.1.2.1 album_move_batch.in

From: Chris Smith <chris@ja...> - 2001-09-18 19:32

What bharat said about the htaccess is my reasoning for not taking that
approach. Lots of our users also do not have access outside of their
document_root...

You are correct that there is a possibility that some code might get
executed out of context with this naming convention. But this is true of any
of our scripts (like delete_photo.php) And we should watch that we maintain
the proper security checks in these include files (like we do in scripts
like delete_photo). I just think it's really bad form to see source code in
a browser. And I've noticed some other projects using this naming cenvention
lately (like phpgroupware). Anyway, we might have to just disagree on this
one.

See ya,
chris

> > > Bad bad idea.  I assume you are doing this to stop people
> > > from loading the
> > > .inc files directly and having a look at the code.  So
> > > instead you change
> > > it so this code gets executed out of context.  That's far worse!
> >
> > I'll let Chris answer the above part.
> >
> > > The correct way to handle this is to add something like this to your
> > > .htaccess file:
> > >
> > >   <Files ~ "\.inc$">
> > >       Order allow,deny
> > >       Deny from all
> > >   </Files>
> >
> > It's not a given that our end user can use .htaccess files.  I
> > don't have any hard statistics, but I regularly hear from users
> > who don't have this capability, so all .htaccess use is optional
> > in Gallery.
>
> Then also have an option to place the .inc files outside of the
> document_root.
>
> -Rasmus
>

Re: [Gallery-checkins] CVS: gallery/edit album_delete.inc.php,NON E,1.1.2.1 album_general.inc.php,NONE,1.1.2.1 album_highlight.inc.php,NONE ,1.1.2.1 album_move.inc.php,NONE,1.1.2.1 album_move_batch.in

From: Rasmus Lerdorf <rasmus@ph...> - 2001-09-18 19:41

> You are correct that there is a possibility that some code might get
> executed out of context with this naming convention. But this is true of any
> of our scripts (like delete_photo.php) And we should watch that we maintain
> the proper security checks in these include files (like we do in scripts
> like delete_photo). I just think it's really bad form to see source code in
> a browser. And I've noticed some other projects using this naming cenvention
> lately (like phpgroupware). Anyway, we might have to just disagree on this
> one.

Well, could you at least make it configurable?  I'd hate to have to fork
this stuff for my own use.

-Rasmus

From: Chris Smith <chris@ja...> - 2001-09-18 19:54

> > You are correct that there is a possibility that some code might get
> > executed out of context with this naming convention. But this is true of
any
> > of our scripts (like delete_photo.php) And we should watch that we
maintain
> > the proper security checks in these include files (like we do in scripts
> > like delete_photo). I just think it's really bad form to see source code
in
> > a browser. And I've noticed some other projects using this naming
cenvention
> > lately (like phpgroupware). Anyway, we might have to just disagree on
this
> > one.
>
> Well, could you at least make it configurable?  I'd hate to have to fork
> this stuff for my own use.
>

Hey, be careful where you stick that fork! It's all fun and games until
someone loses an eye! :)

Actually I've been chatting with bharat, and he beat on me as well, so I'm
going to change it back. No biggie.

peace,
chris

From: Rasmus Lerdorf <rasmus@ph...> - 2001-09-18 20:20

> > > You are correct that there is a possibility that some code might get
> > > executed out of context with this naming convention. But this is true of
> any
> > > of our scripts (like delete_photo.php) And we should watch that we
> maintain
> > > the proper security checks in these include files (like we do in scripts
> > > like delete_photo). I just think it's really bad form to see source code
> in
> > > a browser. And I've noticed some other projects using this naming
> cenvention
> > > lately (like phpgroupware). Anyway, we might have to just disagree on
> this
> > > one.
> >
> > Well, could you at least make it configurable?  I'd hate to have to fork
> > this stuff for my own use.
> >
>
> Hey, be careful where you stick that fork! It's all fun and games until
> someone loses an eye! :)
>
> Actually I've been chatting with bharat, and he beat on me as well, so I'm
> going to change it back. No biggie.

I think it would be a good idea to have some sort of workaround for people
who have no .htaccess, httpd.conf access nor non-doc_root access.  But
that shouldn't be at the expense of people who do.

The setup script could loop through and mv *.inc to *.inc.php and you
could have a $inc variable you would append in the code.

-Rasmus