#1021 No version numbers in public frontends

phpGedView
closed-fixed
7
2010-01-04
2008-07-21
Veit
No

Hi all,
it is Best Prcatice in most internet applications not to show the exact version numbers to the public. They should only be shown in the administration area.

The version number ist not of any interest for the public user, but makes it easier for hackers to attack platforms and identify targets easily via search engines.

I have manually changed my version, but it would be fine, if this would be standard.

Discussion

  • Brian Derr

    Brian Derr - 2008-08-11

    Logged In: YES
    user_id=269413
    Originator: NO

    I agree that this is an issue that needs to be fixed. I'll work on it.

     
  • Brian Derr

    Brian Derr - 2008-08-11
    • priority: 5 --> 7
    • assigned_to: nobody --> bderrly
     
  • Veit

    Veit - 2008-08-11

    Logged In: YES
    user_id=839525
    Originator: YES

    If you like, I can send you my changes.

     
  • Brian Derr

    Brian Derr - 2008-08-12

    Logged In: YES
    user_id=269413
    Originator: NO

    Yeah, attach a diff if you have one.

     
  • Veit

    Veit - 2008-08-12

    Logged In: YES
    user_id=839525
    Originator: YES

    in line 165 of footer.php of the cloudy theme you have to remove twice the part ' '.PGV_VERSION_TEXT The same for all other themes.

    also see the diff for functions_print.php, included also some newlines for more readable html output
    also line 95 of rss.php, line 269 of ical.php, line 51 of searchengine.php

    to be discussed: line 64 of reporthtml.php, line 62 of reportpdf.php, line 239 an 433 of clippings_ctrl.php
    File Added: functions_print.php.diff

     
  • Veit

    Veit - 2008-08-12

    functions_print.php.diff

     
  • KosherJava

    KosherJava - 2008-08-12

    Logged In: YES
    user_id=634811
    Originator: NO

    Keep in mind that the version appears 3 times, once in the meta tags, a second time in an html comment on the page and a 3rd time in the footer. Just do a "view source" on the index.php and you will find the 3.

     
  • Brian Derr

    Brian Derr - 2008-08-17

    Logged In: YES
    user_id=269413
    Originator: NO

    Submitted changes: SVN 3675

    Take a look at the changes made and verify they work for you. I'm setting this to pending meaning if there is no response this request will close in 30 days.

     
  • Brian Derr

    Brian Derr - 2008-08-17
    • status: open --> pending-fixed
     
  • Veit

    Veit - 2008-08-17
    • status: pending-fixed --> open-fixed
     
  • Veit

    Veit - 2008-08-17

    Logged In: YES
    user_id=839525
    Originator: YES

    I have checked the changes and they look fine. I hadn't in mind, that the language files also had version numbers in.

    Regarding the 3 points I submitted to be discussed, I would suggest to change them also. The report functionality normally is publicly available and also a lot of users have the cipping cart available to the public. My clipping cart is only for registered users.

    Thanks for your work,
    Veit

     
  • Anonymous - 2008-08-17

    Logged In: YES
    user_id=1910459
    Originator: NO

    Sorry, but I think this was an unnecessary change - or at the very least it has been taken too far. I think this should have been raised in the Open Discussion forum forst, so that more users couold comment. For myself, when I first saw he suggestion I ignored it, When there was no response for a couple weeks I assumed it would not progress.
    The basic argumnetns weere not explored:
    1 - it is "it is Best Prcatice in most internet applications " -

     
  • Anonymous - 2008-08-17

    Logged In: YES
    user_id=1910459
    Originator: NO

    Sorry, but I think this was an unnecessary change - or at the very least it has been taken too far. I think this should have been raised in the Open Discussion forum forst, so that more users couold comment. For myself, when I first saw he suggestion I ignored it, When there was no response for a couple weeks I assumed it would not progress.
    The basic argumnetns weere not explored:
    1 - it is "it is Best Prcatice in most internet applications " -

     
  • Anonymous - 2008-08-17

    Logged In: YES
    user_id=1910459
    Originator: NO

    Sorry, but I think this was an unnecessary change - or at the very least it has been taken too far. I think this should have been raised in the Open Discussion forum first, so that more users could comment. For myself, when I first saw he suggestion I ignored it, When there was no response for a couple weeks I assumed it would not progress.
    The basic arguments were not explored:
    1 - it was said that "it is Best Prcatice in most internet applications " - but no evidence was given supporting that. I still see plenty of applications that display it.
    2 - "The version number its not of any interest for the public user". That is very wrong. For those of us who regularly help users through the Help forum here, being able to see a user's version number is extremely valuable. Many times users either did not know, or simply got the ver number wroing when requesting help. A quick look at their site often saved much time.
    3 - "makes it easier for hackers to attack platforms and identify targets easily via search engines." - is there evidence that this is a relevant issue to PGV?

    My point is not that this is necessarily a wrong change - but there should be more discussion. (IMHO)

    I would ask that the ver number as used in the footer (which is only shown on mouse-hover) is left in place.
    Have you also removed the version number from the GEDCOM file itself, added during back-ups etc? That again is very valuable data.

     
  • Veit

    Veit - 2008-08-20

    Logged In: YES
    user_id=839525
    Originator: YES

    I have announced this RFE on 21 July in the Open discussion forum in the thread about public svn build numbers and there were no complaints regarding this RFE. The discussion has ended up with the announcement of my RFE. This was about a month ago.

    The version numbers in GEDCOMS left in, only the versions from the public frontend are removed, at the moment also not from the reports and clipping cart files.

     
  • Anonymous - 2008-08-20

    Logged In: YES
    user_id=1910459
    Originator: NO

    Just my personal opinion, but I think you mis-understand human responses. 'No response' does not equal 'no complaints'. 'No reponse' does equal 'no interest'. Same applies here.

    This is especially relevant if you read the rest of the Open Discussion topic, which was about how to IMPROVE the version number display, including comments by PGVs two leading developers. Neither of them mentioned or commented on any reason for not displaying them.

     
  • Greg Roach

    Greg Roach - 2008-10-09

    I would prefer this to be reinstated. It adds nothing to security. It is useful for support.

    Don't forget that there are other ways for finding out the version of a site. e.g.

    http://www.olschinski.net/gedview/changelog.txt

     
  • Veit

    Veit - 2008-10-12

    It is no good idea, not to solve a problem with the rational, that there are more of them.
    You are right, that other applications have migrated their changelog into a php file, that is only accessible from the admin interface.

     
  • Veit

    Veit - 2010-01-04
    • status: open-fixed --> closed-fixed
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks