-
Are you running this on your own box (a test platform, perhaps)? It looks like you have two problems:
This will help with problem #1: http://lists.netfielders.de/pipermail/typo3-english/2005-March/002664.html
The problem is with the Apache server setting "allow_url_fopen". There are good security reasons for leaving that to "off". Apparently, wheatblog requires it to be set to "on."...
12:38PM UTC on Mar 20 2007 in wheatblog
-
Is there any way to delete some (but not all) comments
on a bug tracker item?
James
wheatblog project admin.
03:17PM UTC on Aug 16 2006 in SourceForge.net
-
Logged In: YES
user_id=168317
Petteri,
You are correct that .htaccess is an Apace-specific control.
We only test the app on Apache, so we could make Apache a
requirement, which it already is, for the most part. I know
of no one running the app under other webservers. And I
certainly don't have the time to test it under other servers.
So relying on .htaccess would be require making...
02:03PM UTC on Aug 16 2006 in wheatblog
-
Logged In: YES
user_id=168317
Peiter,
No one is asking anyone to "play around with .htaccess
files." The files in question would be included with the
distribution. They users will install these files along
with all the other files that they already have to install.
To then, it's just a matter of uploading a directory. If
they can't handle that, they don't need to be installing...
01:57PM UTC on Aug 16 2006 in wheatblog
-
Logged In: YES
user_id=168317
All,
Instead of (or, perhaps, in addition to) coding around this
problem in PHP, why not use .htaccess to prevent remote file
inclusion:
Order allow,deny
Deny from all
We could include .htaccess files for all of the relevant
directories (admin/, includes/, classes/).
As to Petteri's point about blocking additional...
01:29PM UTC on Aug 16 2006 in wheatblog
-
Logged In: YES
user_id=168317
Here's a little test loop I've been working on:
// set vars for testing ("/path" or "http://")
$wb_session_dir = "http://example.com";
// check the vars
$var_to_check = array("$wb_dir", "$wb_inc_dir",
"$wb_admin_dir",
"$wb_class_dir", "$wb_session_dir");
for($i=0; $i<5; $i++) {
if (preg_match('/^http/i', $var_to_check[$i])...
08:42PM UTC on Aug 14 2006 in wheatblog
-
wheatbread committed patchset 248 of module wheatblog to the wheatblog CVS repository, changing 1 files.
06:27PM UTC on Aug 14 2006 in wheatblog
-
wheatbread committed patchset 247 of module wheatblog to the wheatblog CVS repository, changing 1 files.
03:00PM UTC on Aug 14 2006 in wheatblog
-
Logged In: YES
user_id=168317
I think the quick fix will be to wrap all include/require
statements with some variable checking, following Pete's
example (slightly corrected to include single quotes around
the match string):
if ( preg_match('/^http/', $wb_class_dir) )
die('Error: remote file inclusion is not supported.');
The unstable branch already sets most of this stuff in the.
01:43PM UTC on Aug 14 2006 in wheatblog
-
Logged In: YES
user_id=168317
Note: this bug will also affect previous versions of wB.
I'm grouping it under version 1.1 for convenience.
Wheat.
12:05AM UTC on Aug 14 2006 in wheatblog
