From: =?iso-8859-1?Q?<joe...@la...> - 2002-10-16 19:09:01
|
Hi, I'm new on this forum, but I'm using Mantis since the 0.17 version. I've been interesting myself on security problems, and found an old august post. I've some beginner questions, which may be obvious or out to date :-) First, what does this "security" was about ? For the different users' status ? (for example allowing to view the page, using a function, etc) Second : Jeroen Latour wrote : "Secondly, we migrate to $_GET/$_POST/$_COOKIE for all f_ variables (and $_REQUEST if a variable can be either from GET or POST), get the configuration settings using a function (i.e. config_get) and the server variables from $_SERVER" I've seen such an implementation begin in the 0.17.2 (or .3 ?) I think. Could you give an example of concrete "before / after" code in Mantis ? Thanks, Joelle. Acc=E9dez au courrier =E9lectronique de La Poste : www.laposte.net ; 3615 LAPOSTENET (0,13 =80/mn) ; t=E9l : 08 92 68 13 50 (0,34=80/mn)" |
From: Jeroen L. <jl...@ca...> - 2002-10-16 19:34:16
|
At 21:08 16-10-2002 +0200, you wrote: >First, what does this "security" was about ? For the different >users' status ? (for example allowing to view the page, using >a function, etc) It mostly meant making changes to the style of programming to prevent a lot of ways to hack Mantis from opening up. >Second : Jeroen Latour wrote : >"Secondly, we migrate to $_GET/$_POST/$_COOKIE for all f_ >variables (and > $_REQUEST if a variable can be either from GET or POST), get >the configuration settings using a function (i.e. config_get) >and the server variables from $_SERVER" >I've seen such an implementation begin in the 0.17.2 (or .3 ?) >I think. Could you give an example of concrete "before / >after" code in Mantis ? Before: include($g_include_meta_file); echo $f_somevar; do($f_something); After: include(config_get('include_meta_file')); echo $_REQUEST['f_somevar']; do($_REQUEST['f_somevar']); Or something like that. Jeroen |