[PHPiCalendar-DEV] cpath security, default getdate, and 2.2

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Wesley makes a good point.  That's why I asked!  I uploaded changes  
to strip .. from cpath.  I used str_replace, so if anyone names a  
directory as this..directory, they're in trouble.  However, after  
uploading one change, I realized that someone might actually use  
this.directory as a directory name...so that's why there are two  
rapid CVS uploads in a row from me.  Sorry!

I also changed the default time calculation to

     $getdate = date('Ymd', time() + $second_offset);

from a version that used strtotime("now + $second_offset seconds).  I  
think this is slightly more efficient and that it might
I also changed calendar_functions so that instead of using substr 
(basename($calpath),0,-4), I use

  	return basename($cal_path,".ics");

The prior version truncates the calendar names in the rss feeds.
Chad...I think 2.2 is good to go...while there are still minor bugs,  
it seems like there were a lot of more major ones with 2.1.  Even  
without the patches I just did, I think we caught most of the things  
that led to the installation failures being posted on the bbs.

publish.php is giving people the usual number of problems, but I'm  
not sure if there's anything useful to do in the short run.

Jim

> Message: 4
> From: Wesley Miaw <we...@we...>
> Subject: Re: [PHPiCalendar-DEV] Easy solution for customizing
> Date: Mon, 28 Nov 2005 15:57:39 -0800
> To: php...@li...
> Reply-To: php...@li...
>
> Hi Jim,
>
> Unfortunately, that's a bad idea because it opens a major security
> hole. I know from previous devel list mail that some people are using
> PHP iCalendar in multi-user environments. Letting those users put a
> cpath_config.php file into their personal calendar directories makes
> it possible for those users to do lots of bad things.
>
> Also, some $cpath security logic needs to get put in. For example to
> remove any instances of .. or non-directory characters. Probably a
> good idea to make sure it always falls into a subdirectory of the
> main calendar directory, or something similar.
>
> I don't think we should ever make it possible for an end-user instead
> of a sysadmin to make server-side customizations. The $cpath is
> already pretty dangerous in my opinion, but at least it only allows
> access to *.ics files because of how it is used.
>
> On Nov 28, 2005, at 7:43 AM, Jim Hu wrote:
>
>> Last night I was wondering about customizing the webcalendars in
>> different subdirectories specified by cpath.  I just realized this
>> is unbelievably easy.  I can add this under the code in
>> init.inc.php that sets cpath
>>
>> #this allows you to place a file within a calendar subdirectory to
>> override global settings, or execute local code...e.g. to secure a
>> particular subdirectory.
>> if(is_file("$calendar_path/cpath_config.php")){
>> 	include ("$calendar_path/cpath_config.php");
>> }
>>
>> Then you can just drop a config file into that directory to
>> override whatever you want, insert login code, etc.  I think
>> something like this would be useful for anyone who wants to set up
>> a calendar server service.
>> What do you think?  Should I add this to CVS?  Or is there a better
>> way to do this?
>
> --
> Wesley Miaw
> we...@we...