Menu
▾
▴
Re: [PHPiCalendar-DEV] 0.9.5 security issue
|
From: Dietrich A. <die...@ga...> - 2003-11-23 04:11:24
|
Hi Chad. Attached is an updated version of publish.php. The bug occurs because the fopen() wrapper "php://input" was first introduced in 4.3.0, and that's what is used to read the calendar input. The changes in the update: - added more error checking, and warning suppression for feof() and fclose() calls - added support for enabling/disabling publishing by setting $phpicalendar_publishing to 1/0 in the config file. -dietrich Chad wrote: > Dietrich, did you ever look at this bug: > > http://sourceforge.net/tracker/index.php? > func=detail&aid=845351&group_id=62270&atid=500017 > > I'd like to have some better grasp of how we can make this more > accessable to older versions oh PHP, if that is the problem in this case. > > Also, we'll need to have it off by default if it is a security risk. > > -C > > On Nov 21, 2003, at 1:47 PM, Dietrich Ayala wrote: > >> it's mentioned in the publish.php file itself, and should be added to >> the general installation instructions. >> >> we should also have a flag in the configuration file to >> enable/disable publishing, and have it disabled by default. >> >> -dietrich >> >> Mike Traum wrote: >> >>> I haven't looked closely, but isn't publish.php a security hole, >>> especially since adding authentication to the calendars folder isn't >>> mentioned in the Readme? >>> thanks, >>> mike >>> ---------------------------------------------------------------------- >>> -- >>> Do you Yahoo!? >>> Free Pop-Up Blocker - Get it now >>> <http://us.rd.yahoo.com/slv/mailtag/*http://companion.yahoo.com/> >> >> >> >> >> >> ------------------------------------------------------- >> This SF.net email is sponsored by: SF.net Giveback Program. >> Does SourceForge.net help you be more productive? Does it >> help you create better code? SHARE THE LOVE, and help us help >> YOU! Click Here: http://sourceforge.net/donate/ >> _______________________________________________ >> Phpicalendar-devel mailing list >> Php...@li... >> https://lists.sourceforge.net/lists/listinfo/phpicalendar-devel > > > > > ------------------------------------------------------- > This SF.net email is sponsored by: SF.net Giveback Program. > Does SourceForge.net help you be more productive? Does it > help you create better code? SHARE THE LOVE, and help us help > YOU! Click Here: http://sourceforge.net/donate/ > _______________________________________________ > Phpicalendar-devel mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phpicalendar-devel > > |
