Thread: [phpslash-users] TODO for 0.6 final
Brought to you by:
joestewart,
nhruby
From: nathan r. h. <nh...@ar...> - 2000-09-29 01:25:42
|
Hello. Listed below is the TODO for phpslash-0.6 Final. If you have any prefs about what happens with phpslash and how soon 0.6 is stable (and therefore we get to start working on other new features... hint hint) please take the time to point out any other bugs that you've seen and report them at the SourceForge page (My crappy spelling doesn't count as a bug, though I guess it should...). If you have comments questions about the TODO, please feel free to ask. If you have some time this coming weekend, please knock off a TODO Item for us :) Those who don't want to code let me remind you that our documentation is lacking. Helping with Docs is more important sometimes than the actual code. Contact Blake Carver for info, and take a look at the Doc Manager at SourceForge. At this point we are ($we = devlopers) pushing the wall as far as testing goes we can't find every bug, config issue, epsically in both php3 and php4. We ***need*** y'all to help. Please!!! This TODO reflects current-ish CVS, an rc-2 will be out shortly-esq (read next week probably becasue I'd like to give rc2 a bigger announcement and I'd like it to be as close to final as we can get it.). TODO for phpslash-0.6-FINAL Updated: SEPT 26 2000 Comemnts to nathan hruby (nh...@ar...) ########################################################################### # TODO: ########################################################################### - undefined function get_class() [php4 issue] - added plain text to submission/new stories - block preview - no link back to article after posting comment - logo does not link back to homepage - db_xfer is needing an update.... - Get all geeral config vars into config.php3, finalaize the most used functions for every page and import them into functions.inc (This obsoletes Slash.class, whcih I think has finaly been declared dead.) Vars that are only required for one page or that need to be dynamicly updated need to stay in the db. Things like basedir, rootdir, etc. can live in config.php3 - Drop-kick Slash.Class in the teeth (Aka: remove it and all depedancies to it. Make sure everything is in functions.inc.) - Clean up to make reading / editing easier in config.php3 (nathan) - Mostly done. WIll finalize after everything moves in there - backend.php3 needs some work (Nathan, Costas, Ajay, Whomever) - Needs to use new classes as most of the functions in functions.inc are gone. - Should just use config.php3 for easier setup. - Add Blakes' new mail stuff (nathan) - Requires a update of the standard db schema to include that stuff - Don't forget to update db_xfer.php3.disabled! - Make work with 0.6 - Icons ???? - phpslash.org needs updating and needs to run 0.6 for release (Trollboy, Blake for Docs) - Docs need updating (Coordinated by Blake) - Object method / propertiy lists - Add install guide (HTML and text flavors) - Updated CREDITS - Update FAQ (module owners, URL's, mailing list signup has changed, etc...) - Make sure everything points at SourceForge. - Replace getvar("rootdir"); with Global $rootdir; in all Classes. - Speed cleanups (ie: getStoriesForIndex gets a list of story_id's and sends each it to getStory, which in turn does another query and gets all the story stuff for the id and returns the HTML for the ONE story. So you have to do a query for EACH story.) ########################################################################### # Done BUT Needs Testing: ########################################################################### - Clean up story addition in Admin to allow similar functionality as addimg comment (submit as HTML, trans, plain text) [Joe Stewart] - Finish Blocks [Ajay, et al] - Possible Block Preview Bug in admin? - De-cruftify - Poll Needs help - Comment system is still a bit wacky. PLEASE TEST THE CRAP OUT OF THIS! - Make NavBar understand the new admin pages (*admin.php3) and give the full menu (Ajay says it needs cleanups) - Double check security.. (It's crufty... Hold together one more release baby!) ########################################################################### # Done: ########################################################################### - Try to see how easy / hard it would be to make all objects use a global slash object [Answer: It's bad.. so this is abandoned ] (nathan, Costas) - Fix pages that look for non-exsistant tables and update to current stuff - submissionAdmin.php3 needs to know about security - Finish up bits of templates (Ajay, Nathan, Who ever) - Slashhead.inc still has some tables junk to start off the page that needs to move into a templates/<whatever>.tpl file - Same with slashfoot.inc - policySubmit and submit.php3 need to go bye-bye (still there, but not used, will go away for 0.6-FINAL) ########################################################################### # On Hold till 0.65 (Steak Fajita?): ########################################################################### - ordering blocks -> 0.65 or even pushed back to 0.7! - Like to mave templates out of the public root (nathan) - Move .class files out of public root and into top level class/ branch and the associated logic changes (shouldn't be much) (nathan) - Add / port info logger to default distro (nathan) - Add / port logging_mod to default distro (nathan) - Add / port Blakes HOF (nathan) ########################################################################### # Gone Like The Wind: ########################################################################### - Cleanups after object use (all.. If you start an object, put it away when you're done) [Why spend cycles cleaning up, it all dies right after page processing anyway, though TopicBar and NavBar should be made to clean up after them selves, esp thir db connections.] ########################################################################### # Wishlist ########################################################################### - Super spiffy installer that downloads and installs everything for you, down to the .htacess files (Nathan, Whomever) -- ........ nathan hruby Webmaster: UGA Department of Drama and Theatre Project Maintainer: phpSlash, Carousel nh...@ar... ........ |
From: zblace <zb...@al...> - 2000-09-29 10:36:10
|
I might be saying nonsence since I don't follow the list all the time ... Has anyone worked on feature of submiting stories by (xml?) formated e-mail ? |
From: nathan r. h. <nh...@ar...> - 2000-09-29 13:27:28
|
On Fri, 29 Sep 2000, zblace wrote: > I might be saying nonsence > since I don't follow the list all the time ... > > Has anyone worked on feature of > submiting stories by (xml?) formated e-mail ? > Eeepp. No submitting articles / comments of any form isn't a planned feature. We've toyed with the concept of having a NNTP / IMAP gateway and are planning on having a XML syndication subsystem, so at some point that could happen, but I've really never actually had the thought... (How would one authenticte without sending a cleartext password over 8 billion SMTP servers?)-n -- ........ nathan hruby Webmaster: UGA Department of Drama and Theatre Project Maintainer: phpSlash, Carousel nh...@ar... ........ |
From: Blake C. <btc...@li...> - 2000-09-29 15:18:36
|
http://slashdot.org/article.pl?sid=00/09/29/1245218&mode=thread not sure what this means for us, maybe something to think about in terms of security. --------------------- Blake Carver LISNews.com http://www.lisnews.com Librarian and Information Science News |
From: nathan r. h. <nh...@ar...> - 2000-09-29 16:15:00
|
On Fri, 29 Sep 2000, Blake Carver wrote: > http://slashdot.org/article.pl?sid=00/09/29/1245218&mode=thread > Saw the hacker's post before bed last night Hehe.. > not sure what this means for us, maybe something to think about in terms of > security. > We have inherited the crappy auth scheme the current slashcode has. It will be fixed in 0.65 when we move to md5 passwords (a'la phplib). The problem with /. was that slashcode had an open security hole. A bug in their templates code. From the article... By exploiting a known security hole in pre-2.0 versions of Slashcode, they executed some perl of their own devising through our template system, and managed to run netcat on the the box. The hole itself required "God" access on a Slashcode site, so it was never a problem before... but since the password was the Slashcode default of God/Pete, it wasn't hard. We knew about the potential problem but since nobody ever had God access besides me, it was never a problem! Keyword: KNOWN SECURITY HOLE!!!! Ie: we had a hole and never cared enough to patch it because Rob's the only one with friggin' $seclev = 10000000. Fucker. I hope every slashcode site gets hacked and the ops beat Rob to death. How the hell can you have a known hole and not patch it? Stupid. Stupid. Stupid. Did I mention Stupid? Perhaps dumb as well... Rob has is touting slashcode-2.0 to fix these problems, but I don't think that it's near beta quality yet ('tis a mosly complete rebuild to OO-ifiy and clean and fix their auth and templates..) phpslash will soon not have this problem at all (bad auth, plaintext passwords) Also there's not a friggin' eval() in the joint so there's no way to run commands (that I can think of.. the benifit of our OO is that classes are called once the global environment is setup, so any rouge varibles imported via register_globals will get overwritten in the require(SomeClass); or the functions of the class that are called.) -n ........ nathan hruby Webmaster: UGA Department of Drama and Theatre Project Maintainer: phpSlash, Carousel nh...@ar... ........ |
From: Ajay S. <ss...@od...> - 2000-09-29 18:03:58
|
Our security is a joke but since it's all getting re-written in 0.7, there's no use spending a lot of time on it now. later, ajay On Fri, 29 Sep 2000, Blake Carver wrote: > http://slashdot.org/article.pl?sid=00/09/29/1245218&mode=thread > > not sure what this means for us, maybe something to think about in terms of > security. > > --------------------- > Blake Carver > LISNews.com > http://www.lisnews.com > Librarian and Information Science News > > > _______________________________________________ > phpslash-users mailing list > php...@li... > http://lists.sourceforge.net/mailman/listinfo/phpslash-users > ---------------------------------------------------------------- Satyajot (Ajay) Sharma ss...@od... Digital Odyssey System Administrator WWJMD - What would Jim Morrison do. ---------------------------------------------------------------- |
From: Harry Z. <hz...@fi...> - 2000-10-01 18:31:37
|
on 9/29/00 6:03 PM, Ajay Sharma at ss...@od... wrote: > Our security is a joke but since it's all getting re-written in 0.7, > there's no use spending a lot of time on it now. Which appears to be the same reasoning Rob applies, and which Nathan has raked him over the coals for - when the present PHPSlash scheme "is a joke" as well. At least Rob's only has this one (known) security issue, that can only be exploited under specific conditions, if you think about it. Harry -- "God is omnipotent, omniscient, and omnibenevolent---it says so right here on the label. If you have a mind capable of believing all three of these divine attributes simultaneously, I have a wonderful bargain for you. No checks, please. Cash and in small bills." --Lazarus Long |
From: Harry Z. <hz...@fi...> - 2000-09-29 18:11:18
|
on 9/29/00 6:15 PM, Blake Carver at btc...@li... wrote: > not sure what this means for us, maybe something to think about in terms of > security. Not much, unless you can do something in code to fix wetware... The /. hack was due to them leaving a virgin version of a slash installation on the same box, with unchanged 'God' passwords. It was human error, and the hack wasn't malicious. Harry |
From: nathan r. h. <nh...@ar...> - 2000-09-29 18:28:57
|
On Fri, 29 Sep 2000, Harry Zink wrote: > on 9/29/00 6:15 PM, Blake Carver at btc...@li... wrote: > > > not sure what this means for us, maybe something to think about in terms of > > security. > > Not much, unless you can do something in code to fix wetware... The /. hack > was due to them leaving a virgin version of a slash installation on the same > box, with unchanged 'God' passwords. > > It was human error, and the hack wasn't malicious. > No. Human error left a hole to gain access to a system that allowed a security hole in exsisting code to be exploited inorder to get the real /. slashcode server. Rob is *playing* this as human error, but that's $problem * .5 -n -- ........ nathan hruby Webmaster: UGA Department of Drama and Theatre Project Maintainer: phpSlash, Carousel nh...@ar... ........ |
From: Harry Z. <hz...@fi...> - 2000-09-29 21:11:41
|
on 9/29/00 6:28 PM, nathan r. hruby at nh...@ar... wrote: > No. Human error left a hole to gain access to a system that allowed a > security hole in exsisting code to be exploited inorder to get the real /. > slashcode server. Yeah, but be serious here, Nathan - the 'security hole' could only exploited by the wquivalent of God/Root access - what you are saying is the same as claiming that any Unix has a gaping security hole, because you can do nasty stuff with root-level access. You say: > Fucker. I hope every slashcode site gets hacked and the ops beat Rob to > death. How the hell can you have a known hole and not patch it? Stupid. > Stupid. Stupid. Yet, just several sentences earlier you stated: > We have inherited the crappy auth scheme the current slashcode has. It > will be fixed in 0.65 when we move to md5 passwords (a'la phplib). So, you are saying the existing code ALSO has a KNOWN SECURITY PROBLEM, yet you didn't fix it yet, because 0.65 will fix it. Isn't that the same critique you say about Rob: > Rob has is touting slashcode-2.0 to fix these problems, but I don't think > that it's near beta quality yet ('tis a mosly complete rebuild to OO-ifiy > and clean and fix their auth and templates..) Is 0.65 near beta quality? Seriously, Nathan - I think you are WAY blowing this out of proportion, or you have some sort of axe to grind - either way, the odl advice about glass houses applies... Don't bitch about what a fool Rob is - just don't be one yourself. Rob has been doing pretty well with /. so far. Harry |
From: nathan r. h. <nh...@ar...> - 2000-09-30 03:51:46
|
On Fri, 29 Sep 2000, Harry Zink wrote: > on 9/29/00 6:28 PM, nathan r. hruby at nh...@ar... wrote: > > > No. Human error left a hole to gain access to a system that allowed a > > security hole in exsisting code to be exploited inorder to get the real /. > > slashcode server. > > Yeah, but be serious here, Nathan - the 'security hole' could only exploited > by the wquivalent of God/Root access - what you are saying is the same as > claiming that any Unix has a gaping security hole, because you can do nasty > stuff with root-level access. > God access can be faked alot esier than root. Remember that God = a high enough $seclev, while root on a unix box is uid = 0 So on any particular site all you need is the account of someone with a high enough $seclev of which there can be several. The analogy of God == root is poor, and doesn't work. > You say: > > > Fucker. I hope every slashcode site gets hacked and the ops beat Rob to > > death. How the hell can you have a known hole and not patch it? Stupid. > > Stupid. Stupid. > > Yet, just several sentences earlier you stated: > > > We have inherited the crappy auth scheme the current slashcode has. It > > will be fixed in 0.65 when we move to md5 passwords (a'la phplib). > > So, you are saying the existing code ALSO has a KNOWN SECURITY PROBLEM, yet > you didn't fix it yet, because 0.65 will fix it. Isn't that the same > critique you say about Rob: > We inherited plaintext paswords, we didn't inherit the hole that allowed access to the main slashdot server (based in the template code that devloped between 0.3-pre and 0.9), so no: it's not the same thing. Plaintext passwords are bad if someone can sniff a network between you and the server. (If someone roots you db server, you have bigger issues, plaintext or not you're in trouble and if someone sniffs you password off the net and impersonates you, you can be happy at least that you don't have to rebuild you machine) A devel box that an admin was too sloppy to change the password *and* lived on a network that allowed direct network sniffing to the production server is sloppy human error. The two combined created a hole that could be used to exploit a *real* hole. The admin issues I have no real problems with, it happened, but why would God access allow people to execute random code on the server? It shoudn't of in the first place. Rob said this was a known problem (the abiltiy to exploit the templates code) so it should of been fixed. Had it been, /. would never have been hacked. > > Rob has is touting slashcode-2.0 to fix these problems, but I don't think > > that it's near beta quality yet ('tis a mosly complete rebuild to OO-ifiy > > and clean and fix their auth and templates..) > > Is 0.65 near beta quality? > No. Why? I'm certianly not touting it like it's almost heere. > Seriously, Nathan - I think you are WAY blowing this out of proportion, or > you have some sort of axe to grind - either way, the odl advice about glass > houses applies... > I live in a 200 hundred old textile mill with 2 foot solid brck walls that has survived several floods from the river a few feet away. I'm not really worried :) Really, I'm not blowing this out of proportion, you're succumbing to Rob's spin doctoring. The fact of the matter was that human error aside, there's still a hole in the slashcode that allows the execution of random code: that is wrong and insecure. What's worse is that it was known about and never fixed which is where my problem lies. I don't see how you can justify that. > Don't bitch about what a fool Rob is - just don't be one yourself. Rob has > been doing pretty well with /. so far. > Rob posts very little on /. anymore, and really never adds any interesting commentary to the things that other people send him (if you consider " How can we get linux running on this?" an inteligent comment you need to go back to college). Slashdot was a fluke that happened at *just* the right time. -n ........ nathan hruby Webmaster: UGA Department of Drama and Theatre Project Maintainer: phpSlash, Carousel nh...@ar... ........ |
From: Harry Z. <hz...@fi...> - 2000-10-01 19:18:12
|
on 9/30/00 3:51 AM, nathan r. hruby at nh...@ar... wrote: > The analogy of God == root is poor, and > doesn't work. Yeah, it certainly does, since both require having a password available in order to do any damage. The only difference would be that Slash comes with a default God password pre-installed, and Unix doesn't - but in both cases, the responsibility lies with the SysAdmin to provide a secure password, or change to a secure password. The /. hack came out of leaving a copy with the default passwords, which is no different than a SysAdmin setting up a system with '12345' as the root password (which I've seen as well). Ultimately, the weak link is the human factor that assigns a cheesy password. > So on any particular > site all you need is the account of someone with a high enough $seclev of > which there can be several. Yeah, but none of these accounts would be useful, or accessible unless the password was known. Hence, the analogy does fit on that level. Harry -- ""God split himself into a myriad parts that he might have friends." This may not be true, but it sounds good---and is no sillier than any other theology. " --Lazarus Long |
From: Russell M. <ru...@fl...> - 2000-09-30 01:08:16
|
On Fri, 29 Sep 2000, nathan r. hruby wrote: > are planning on having a XML syndication subsystem, so at some point that > could happen, but I've really never actually had the thought... (How > would one authenticte without sending a cleartext password over 8 > billion SMTP servers?)-n I understand the separate question about anXML syndication subsystem, and have interest myself. But I think the question of email/news submission of stories would be much simpler. The submission of stories wouldn't need to automatically approve the article, nor contain a password. Once I dive into the new version (Time is killing me on other projects at the moment) I plan to write some RFC822->PHPSlash stuff in PERL to allow email submission of articles into the "submissions" queue. It may even be appropriate for some sites to have certain 'topics' able to be posted to directly, with the homepage/rss/etc only publishing the headlings of a subset of topics. I recently dumped a CGI based Web-based-Newsreader in favor of a PHP3/MySQL based system <http://www.flora.org/flora/forumdb/> for which I'd love to integrate into PHPSlash in some way at some later date. --- Russell McOrmond, Internet Consultant: <http://russell.flora.org/work/> Elect Ralph Nader for U.S. President! <http://www.votenader.org/> http://Ottawa2000.flora.org/ Article: Reducing gas taxes would be futile http://www.flora.org/afo/forum/2937 Oil Prices; They are no surprise! |
From: nathan r. h. <nh...@ar...> - 2000-09-30 04:00:38
|
On Fri, 29 Sep 2000, Russell McOrmond wrote: > > I understand the separate question about anXML syndication subsystem, > and have interest myself. But I think the question of email/news > submission of stories would be much simpler. > Yes, you're right, but neither has recived much tought. > The submission of stories wouldn't need to automatically approve the > article, nor contain a password. Once I dive into the new version (Time > is killing me on other projects at the moment) I plan to write some > RFC822->PHPSlash stuff in PERL to allow email submission of articles into > the "submissions" queue. It may even be appropriate for some sites to > have certain 'topics' able to be posted to directly, with the > homepage/rss/etc only publishing the headlings of a subset of topics. > Easy, setup a mail alias that pointed to a script that did all the db stuff. Had you the CGI php installed you could simply include the Submission.class and subclass it to do what you wanted. It's doable in perl, but why :) > I recently dumped a CGI based Web-based-Newsreader in favor of a > PHP3/MySQL based system <http://www.flora.org/flora/forumdb/> for which > I'd love to integrate into PHPSlash in some way at some later date. > One way communication is easy (either way), it's two way with user info that's a real bitch. -n -- ........ nathan hruby Webmaster: UGA Department of Drama and Theatre Project Maintainer: phpSlash, Carousel nh...@ar... ........ |