phpicalendar-devel

[PHPiCalendar-DEV] security suggestions for publish.php

[Jo R. <jr...@sv...>]

I think we need to make some changes to the publish system.

Why:

If you use the current system with external authentication, the ics files 
are protected by the same mechanism as the publish system.  This isn't
always good -- what if I want to allow publish but not allow direct access
to the ICS files?

Likewise, if you are using the PHP authentication then the files aren't
protected.  (minus using a handler for .ics file access that fails)

In short, I think that the following changes are reasonable and flexible
enough for all situations:

Put publish.php in publish/ directory.
	-- an .htaccess file in that directory can control access

Leave calenders in calendars/ directory.
	-- an .htaccess file in that directory can control access

I'd also like to introduce a configuration variable that would control the
HTTP authentication realm, instead of having people edit publish.php to
control this.  Opinions?

Lastly, I'd like to write the log file to a location which is *NOT*
accessible.  Other files in the distribution fit this description.  How 
about a new directory with a .htaccess file "deny from all" in it?
 
-- 
Jo Rhett
senior geek
SVcolo : Silicon Valley Colocation

Re: [PHPiCalendar-DEV] security suggestions for publish.php

[Wesley M. <we...@we...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Jo,

Coolness on the work you've done so far, which you sent in your  
previous email. :)

I guess this is all a result of publish.php being something that was  
tacked on as a completely external feature. I guess if Jim thinks it  
makes sense to merge publish.php in as a real PHP iCalendar feature  
(giving it full-fledged status) then things like defining a log file  
location and auth realm in the config file makes sense.

I don't think we should necessarily specify a specific publish.php  
log file directory with a .htaccess checked into SourceForge. We  
could default to /var/log/ and leave any sort of access controls or  
different destination directories up to the installer.

I am wondering if the logmsg() function should be changed to not open/ 
close the file every single time.

Later,
Wes

On Sep 16, 2006, at 4:54 PM, Jo Rhett wrote:

> I think we need to make some changes to the publish system.
>
> Why:
>
> If you use the current system with external authentication, the ics  
> files
> are protected by the same mechanism as the publish system.  This isn't
> always good -- what if I want to allow publish but not allow direct  
> access
> to the ICS files?
>
> Likewise, if you are using the PHP authentication then the files  
> aren't
> protected.  (minus using a handler for .ics file access that fails)
>
> In short, I think that the following changes are reasonable and  
> flexible
> enough for all situations:
>
> Put publish.php in publish/ directory.
> 	-- an .htaccess file in that directory can control access
>
> Leave calenders in calendars/ directory.
> 	-- an .htaccess file in that directory can control access
>
> I'd also like to introduce a configuration variable that would  
> control the
> HTTP authentication realm, instead of having people edit  
> publish.php to
> control this.  Opinions?
>
> Lastly, I'd like to write the log file to a location which is *NOT*
> accessible.  Other files in the distribution fit this description.   
> How
> about a new directory with a .htaccess file "deny from all" in it?
>
> -- 
> Jo Rhett
> senior geek
> SVcolo : Silicon Valley Colocation
>
> ---------------------------------------------------------------------- 
> ---
> Using Tomcat but need to do more? Need to support web services,  
> security?
> Get stuff done quickly with pre-integrated technology to make your  
> job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache  
> Geronimo
> http://sel.as-us.falkag.net/sel? 
> cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Phpicalendar-devel mailing list
> Php...@li...
> https://lists.sourceforge.net/lists/listinfo/phpicalendar-devel

- --
Wesley Miaw
we...@we...


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)

iD8DBQFFDLTrQv4agqRAk2kRAiETAJ90nGGasSbBggABOT3pqpbUgbTopwCfZWYU
zWwBywpjttjGhwJt0013FBM=
=wJyK
-----END PGP SIGNATURE-----

Re: [PHPiCalendar-DEV] security suggestions for publish.php

[Jo R. <jr...@sv...>]

On Sat, Sep 16, 2006 at 07:37:30PM -0700, Wesley Miaw wrote:
> I guess this is all a result of publish.php being something that was  
> tacked on as a completely external feature. I guess if Jim thinks it  
> makes sense to merge publish.php in as a real PHP iCalendar feature  
> (giving it full-fledged status) then things like defining a log file  
> location and auth realm in the config file makes sense.
 
Exactly.

> I don't think we should necessarily specify a specific publish.php  
> log file directory with a .htaccess checked into SourceForge. We  
> could default to /var/log/ and leave any sort of access controls or  
> different destination directories up to the installer.
 
I would make a variable near the top.  But if we defined a "safe space"
that was protected I would default it to that place.

> I am wondering if the logmsg() function should be changed to not open/ 
> close the file every single time.
 
Yes that can absolutely be done.

-- 
Jo Rhett
senior geek
SVcolo : Silicon Valley Colocation

Re: [PHPiCalendar-DEV] security suggestions for publish.php

[Jo R. <jr...@sv...>]

On Sat, Sep 16, 2006 at 07:37:30PM -0700, Wesley Miaw wrote:
> I am wondering if the logmsg() function should be changed to not open/ 
> close the file every single time.
 
See attached updated publish.php

-- 
Jo Rhett
senior geek
SVcolo : Silicon Valley Colocation

Re: [PHPiCalendar-DEV] security suggestions for publish.php

[Jim Hu <ji...@ta...>]

Jo,

Seems to me that you need to be given CVS access so you can modify  
publish directly.  How does that sound?  Do you have a sourceforge ID  
so I can set you up?

Jim
=====================================
Jim Hu
Associate Professor
Dept. of Biochemistry and Biophysics
2128 TAMU
Texas A&M Univ.
College Station, TX 77843-2128
979-862-4054


On Sep 17, 2006, at 1:37 PM, Jo Rhett wrote:

> On Sat, Sep 16, 2006 at 07:37:30PM -0700, Wesley Miaw wrote:
>> I am wondering if the logmsg() function should be changed to not  
>> open/
>> close the file every single time.
>
> See attached updated publish.php
>
> -- 
> Jo Rhett
> senior geek
> SVcolo : Silicon Valley Colocation
> <publish.php>
> ---------------------------------------------------------------------- 
> ---
> Using Tomcat but need to do more? Need to support web services,  
> security?
> Get stuff done quickly with pre-integrated technology to make your  
> job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache  
> Geronimo
> http://sel.as-us.falkag.net/sel? 
> cmd=lnk&kid=120709&bid=263057&dat=121642______________________________ 
> _________________
> Phpicalendar-devel mailing list
> Php...@li...
> https://lists.sourceforge.net/lists/listinfo/phpicalendar-devel

Re: [PHPiCalendar-DEV] security suggestions for publish.php

[Jo R. <jr...@sv...>]

On Sun, Sep 17, 2006 at 01:42:54PM -0500, Jim Hu wrote:
> Seems to me that you need to be given CVS access so you can modify  
> publish directly.  How does that sound?  Do you have a sourceforge ID  
> so I can set you up?
 
sourceforge ID 'jrhett'

Sounds fine to me, but I've never dealt with sourceforge CVS and I've heard
horror stories about it.  If there's a clue-by-4 guide to dealing with it,
let me know.

-- 
Jo Rhett
senior geek
SVcolo : Silicon Valley Colocation

Re: [PHPiCalendar-DEV] security suggestions for publish.php

[Wesley M. <we...@we...>]

There is some help documentation on the SourceForge web site dealing 
with CVS and SVN access, but there's nothing special about their 
installation so I imagine the regular CVS docs should be sufficient. If 
you run into problems, you can ask us on the list.

Quoting Jo Rhett <jr...@sv...>:

> On Sun, Sep 17, 2006 at 01:42:54PM -0500, Jim Hu wrote:
>> Seems to me that you need to be given CVS access so you can modify
>> publish directly.  How does that sound?  Do you have a sourceforge ID
>> so I can set you up?
>
> sourceforge ID 'jrhett'
>
> Sounds fine to me, but I've never dealt with sourceforge CVS and I've heard
> horror stories about it.  If there's a clue-by-4 guide to dealing with it,
> let me know.
-- 
Wesley Miaw
http://www.wesman.net/

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Re: [PHPiCalendar-DEV] security suggestions for publish.php

[Jim Hu <ji...@ta...>]

I'm barely competent in it myself, but the key things are:

1. Set up your terminal environment for ssh key generation:

For tcsh

	setenv CVS_RSH ssh

for bash:

	export CVS_RSH=ssh

2. Make a key (this step only has to be done the first time you use  
the CVS)

	ssh-keygen -t dsa -C "USE...@sh..."

Then go to your Sourceforge account and add your key to your user  
profile.  Wait a bit for the change to propagate through the system

3. To checkout the latest phpicalendar, after cd to the desired  
directory

	cvs -z3 -d:ext:USE...@ph...:/cvsroot/ 
phpicalendar co -P phpicalendar

4. To save changes in a file

	cvs -z3 -d:ext:USE...@ph...:/cvsroot/ 
phpicalendar commit -m "COMMENT DESCRIBING THE UPDATE."

I forget how to add a file; I think it's add to the local copy and  
then commit as above.  My usual blunder is to save too many changes  
to the local copy before committing.  Also I tend to forget to update  
the README to describe bug fixes.  I think that should do it.  If I  
can do the CVS, anyone can... I don't even know how to apply patches  
using diff!
=====================================
Jim Hu
Associate Professor
Dept. of Biochemistry and Biophysics
2128 TAMU
Texas A&M Univ.
College Station, TX 77843-2128
979-862-4054


On Sep 17, 2006, at 1:45 PM, Jo Rhett wrote:

> On Sun, Sep 17, 2006 at 01:42:54PM -0500, Jim Hu wrote:
>> Seems to me that you need to be given CVS access so you can modify
>> publish directly.  How does that sound?  Do you have a sourceforge ID
>> so I can set you up?
>
> sourceforge ID 'jrhett'
>
> Sounds fine to me, but I've never dealt with sourceforge CVS and  
> I've heard
> horror stories about it.  If there's a clue-by-4 guide to dealing  
> with it,
> let me know.
>
> -- 
> Jo Rhett
> senior geek
> SVcolo : Silicon Valley Colocation
>
> ---------------------------------------------------------------------- 
> ---
> Using Tomcat but need to do more? Need to support web services,  
> security?
> Get stuff done quickly with pre-integrated technology to make your  
> job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache  
> Geronimo
> http://sel.as-us.falkag.net/sel? 
> cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Phpicalendar-devel mailing list
> Php...@li...
> https://lists.sourceforge.net/lists/listinfo/phpicalendar-devel

Re: [PHPiCalendar-DEV] security suggestions for publish.php

[Jo R. <jr...@ne...>]

Thanks for the primer.  I *finally* did that, and am submitting the 
changes tonight.  See my later notes.

Jim Hu wrote:
> I'm barely competent in it myself, but the key things are:
> 
> 1. Set up your terminal environment for ssh key generation:
> 
> For tcsh
> 
>     setenv CVS_RSH ssh
> 
> for bash:
> 
>     export CVS_RSH=ssh
> 
> 2. Make a key (this step only has to be done the first time you use the 
> CVS)
> 
>     ssh-keygen -t dsa -C "USE...@sh..."
> 
> Then go to your Sourceforge account and add your key to your user 
> profile.  Wait a bit for the change to propagate through the system
> 
> 3. To checkout the latest phpicalendar, after cd to the desired directory
> 
>     cvs -z3 
> -d:ext:USE...@ph...:/cvsroot/phpicalendar 
> co -P phpicalendar
> 
> 4. To save changes in a file
> 
>     cvs -z3 
> -d:ext:USE...@ph...:/cvsroot/phpicalendar 
> commit -m "COMMENT DESCRIBING THE UPDATE."
> 
> I forget how to add a file; I think it's add to the local copy and then 
> commit as above.  My usual blunder is to save too many changes to the 
> local copy before committing.  Also I tend to forget to update the 
> README to describe bug fixes.  I think that should do it.  If I can do 
> the CVS, anyone can... I don't even know how to apply patches using diff!
> =====================================
> Jim Hu
> Associate Professor
> Dept. of Biochemistry and Biophysics
> 2128 TAMU
> Texas A&M Univ.
> College Station, TX 77843-2128
> 979-862-4054
> 
> 
> On Sep 17, 2006, at 1:45 PM, Jo Rhett wrote:
> 
>> On Sun, Sep 17, 2006 at 01:42:54PM -0500, Jim Hu wrote:
>>> Seems to me that you need to be given CVS access so you can modify
>>> publish directly.  How does that sound?  Do you have a sourceforge ID
>>> so I can set you up?
>>
>> sourceforge ID 'jrhett'
>>
>> Sounds fine to me, but I've never dealt with sourceforge CVS and I've 
>> heard
>> horror stories about it.  If there's a clue-by-4 guide to dealing with 
>> it,
>> let me know.
>>
>> --Jo Rhett
>> senior geek
>> SVcolo : Silicon Valley Colocation
>>
>> -------------------------------------------------------------------------
>> Using Tomcat but need to do more? Need to support web services, security?
>> Get stuff done quickly with pre-integrated technology to make your job 
>> easier
>> Download IBM WebSphere Application Server v.1.0.1 based on Apache 
>> Geronimo
>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>> _______________________________________________
>> Phpicalendar-devel mailing list
>> Php...@li...
>> https://lists.sourceforge.net/lists/listinfo/phpicalendar-devel

Re: [PHPiCalendar-DEV] security suggestions for publish.php

[Jo R. <jr...@ne...>]

I just submitted another fix to publish.php, preventing the writing of 
debug messages to open files, etc.  stupid bug.  I really want to 
rewrite this from scratch :-(

Anyway, any comments on my desire to put publish.php in a ~/publish/ 
directory so that you can control access to the publish function 
separately from access to the calendars themselves?

Jo Rhett wrote:
> Thanks for the primer.  I *finally* did that, and am submitting the 
> changes tonight.  See my later notes.
> 
> Jim Hu wrote:
>> I'm barely competent in it myself, but the key things are:
>>
>> 1. Set up your terminal environment for ssh key generation:
>>
>> For tcsh
>>
>>     setenv CVS_RSH ssh
>>
>> for bash:
>>
>>     export CVS_RSH=ssh
>>
>> 2. Make a key (this step only has to be done the first time you use the 
>> CVS)
>>
>>     ssh-keygen -t dsa -C "USE...@sh..."
>>
>> Then go to your Sourceforge account and add your key to your user 
>> profile.  Wait a bit for the change to propagate through the system
>>
>> 3. To checkout the latest phpicalendar, after cd to the desired directory
>>
>>     cvs -z3 
>> -d:ext:USE...@ph...:/cvsroot/phpicalendar 
>> co -P phpicalendar
>>
>> 4. To save changes in a file
>>
>>     cvs -z3 
>> -d:ext:USE...@ph...:/cvsroot/phpicalendar 
>> commit -m "COMMENT DESCRIBING THE UPDATE."
>>
>> I forget how to add a file; I think it's add to the local copy and then 
>> commit as above.  My usual blunder is to save too many changes to the 
>> local copy before committing.  Also I tend to forget to update the 
>> README to describe bug fixes.  I think that should do it.  If I can do 
>> the CVS, anyone can... I don't even know how to apply patches using diff!
>> =====================================
>> Jim Hu
>> Associate Professor
>> Dept. of Biochemistry and Biophysics
>> 2128 TAMU
>> Texas A&M Univ.
>> College Station, TX 77843-2128
>> 979-862-4054
>>
>>
>> On Sep 17, 2006, at 1:45 PM, Jo Rhett wrote:
>>
>>> On Sun, Sep 17, 2006 at 01:42:54PM -0500, Jim Hu wrote:
>>>> Seems to me that you need to be given CVS access so you can modify
>>>> publish directly.  How does that sound?  Do you have a sourceforge ID
>>>> so I can set you up?
>>> sourceforge ID 'jrhett'
>>>
>>> Sounds fine to me, but I've never dealt with sourceforge CVS and I've 
>>> heard
>>> horror stories about it.  If there's a clue-by-4 guide to dealing with 
>>> it,
>>> let me know.
>>>
>>> --Jo Rhett
>>> senior geek
>>> SVcolo : Silicon Valley Colocation
>>>
>>> -------------------------------------------------------------------------
>>> Using Tomcat but need to do more? Need to support web services, security?
>>> Get stuff done quickly with pre-integrated technology to make your job 
>>> easier
>>> Download IBM WebSphere Application Server v.1.0.1 based on Apache 
>>> Geronimo
>>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
>>> _______________________________________________
>>> Phpicalendar-devel mailing list
>>> Php...@li...
>>> https://lists.sourceforge.net/lists/listinfo/phpicalendar-devel
> 
> 
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Phpicalendar-devel mailing list
> Php...@li...
> https://lists.sourceforge.net/lists/listinfo/phpicalendar-devel