Thread: Re: [Phpslash-devel] yet more suggestions for .73...
Brought to you by:
joestewart,
nhruby
From: Luis M <le...@ho...> - 2003-05-11 19:23:46
|
Hi, > >On Sat, 10 May 2003, Luis M wrote: > > > > > ummm it seems that posting code to an article causes phpslash to parse >the > > code. This makes yet another suggestion for the future release: > > > > #. Do not parse code coming from articles. > > > > Things like having $php variables, or {VAR} containers for templates... >They > > should all be escaped if the text comes from an article. That could > > potentially eliminate all types of cross-site scripting and sql-code > > injection that <i>might</i> be lurking in the phpslash code... > > > >Can you please give a very specific example what exactly you did to >discover this (including html/exttrans/plain settings, phpversion, >phpslash version, os version, browser, and a step-by-step regression) >Does this happen every time? If so I'd like to fix this and get it out >pronto. I believe this is the same for all versions of phpslash since 0.62 up to 0.72rc1: 1. Go to the Admin section 2. Hit "new" to add a new story 3. Try to add a story that contains Perl code with hashes defined like: $myhas{td} . etc... The {td} part of the hashes will mess up the article badly when previewing. In fact, the whole page gets mumble with all kinds of crazy things. What I do to fix that is adding spaces between the curly-braces. I don't think this affects the server directly, nor have I try to inject any type of code to the database. In other words, I'm assuming this cannot be done and have not tried. In any case, only the users with Admin rights can add news to the site. So, nothing to worry (right?). However, I believe that the stories (the text coming from the database to be displayed as stories) should not be parse as if it was a template or as if dynamic PHP code was coming from the database... That could create problems. (It creates problems for people who have sites publishing code, as I do :-) ) ----)(----- Luis Mondesi System Administrator LatinoMixed.com le...@ho... "...The Mac does this so smoothly, it feels like an extension of your mind." - Paula Speer, MacWorld Magazine 2003-04 Public signature: http://www.latinomixed.com/lems1/public-a.asc _________________________________________________________________ MSN Messenger : discutez en direct avec vos amis ! http://www.msn.fr/msger/default.asp |
From: Luis M <le...@ho...> - 2003-05-11 21:24:28
|
Hello, Read... <snip> >I have tried this with the current CVS (and current php-lib-stable cvs) >using both the nobody user / submission page and as a root user using the >story admin page and cannot replicate this behavior using extrans, html >or plaintext formats using Safari-b2. I'm using phpslash 0.71 with the latest Mozilla 1.3 build for debian unstable. > >Please, what versions of phpslash, phplib and php are you running? Does >the above exmaple work exactly as you describe under your environment? >Can you take a screengrab of whhat you enter into the page and what the >preview looks like? Can you send me the extact text that caused this? phplib that came with the phpslash 0.71 release. (phplib 0.7d ? ). php 4.3 and php 4.1.2 both do exactly the same (two different instalations). > > > The {td} part of the hashes will mess up the article badly when >previewing. > > In fact, the whole page gets mumble with all kinds of crazy things. What >I > > do to fix that is adding spaces between the curly-braces. > > > >Clearly that should not happen. > > > I don't think this affects the server directly, nor have I try to inject >any > > type of code to the database. In other words, I'm assuming this cannot >be > > done and have not tried. In any case, only the users with Admin rights >can > > add news to the site. So, nothing to worry (right?). > > > >If this is a real bug, it may also affect the submission.php page... > > > However, I believe that the stories (the text coming from the database >to be > > displayed as stories) should not be parse as if it was a template or as >if > > dynamic PHP code was coming from the database... That could create >problems. > > (It creates problems for people who have sites publishing code, as I do >:-) > >The input stuff should clean() the text before it even gets to the >database. the {} construct is also the same for phplib tempalte >plcasehoder, AFIK, things that look like {foo} get removed during parsing >by the template system and should be additionally fixed by the submission >and story classes. Joe probably knows how this works off the top of his >head.. The code I'm trying to publish is here: ftp://ftp.latinomixed.com/downloads/pixdir2html.pl.gz The only thing I did to that code was to run "cat -n" and save this as a .txt file with line numbers like this: gunzip pixdir2html.pl.gz cat -n pixdir2html.pl > pixdir2html.pl.txt And then try to use the resulting .txt file to make a new story. I placed a screenshot of a preview story here: http://www.latinomixed.com/story-preview-screenshot.jpg Note that this screenshot shows only the first page of the page, the page is a lot longer than this, and it's all garble all the way up to the end. Let me know if you want to see more of the screen so that I can make more screenshots. ----)(----- Luis Mondesi System Administrator LatinoMixed.com le...@ho... "...The Mac does this so smoothly, it feels like an extension of your mind." - Paula Speer, MacWorld Magazine 2003-04 Public signature: http://www.latinomixed.com/lems1/public-a.asc _________________________________________________________________ MSN Search, le moteur de recherche qui pense comme vous ! http://search.msn.fr/worldwide.asp |
From: nathan r. h. <na...@ds...> - 2003-05-12 20:58:55
|
Hi Luis! On Sun, 11 May 2003, Luis M wrote: > The code I'm trying to publish is here: > ftp://ftp.latinomixed.com/downloads/pixdir2html.pl.gz > > The only thing I did to that code was to run "cat -n" and save this as a > .txt file with line numbers like this: > gunzip pixdir2html.pl.gz > cat -n pixdir2html.pl > pixdir2html.pl.txt > > And then try to use the resulting .txt file to make a new story. > I did this exact same procudure.. comment below > I placed a screenshot of a preview story here: > http://www.latinomixed.com/story-preview-screenshot.jpg > Humm I get something different, but my templates are different from yours. > Note that this screenshot shows only the first page of the page, the page is > a lot longer than this, and it's all garble all the way up to the end. Let > me know if you want to see more of the screen so that I can make more > screenshots. > The problem I'm seeing is that the resulting preview and story pages will get odd if you post that perl script as either plaintext or HTML and it contains HTML that conflicts with the rest of the page (eg head, body, etc.. tags) when I preview it on my ShankZen derived test install, it starts getting weird at line 31, and each successive html tag causes things to get odder. The solution to this is to post the story as exttrans the first time you post it so all of the HTML is translated into the proper entities.. However, it does appear that posting as plaintext or HTML and then trying to change the story to exttrans after the fact seems to not work which is a bug. Can you try to make a new story with this text and post it (without a preview) as exttrans? Thanks, -n -- ------ nathan hruby na...@ds... ------ |
From: Joe S. <joe...@us...> - 2003-05-12 21:19:54
|
On Mon, May 12, 2003 at 01:13:31PM -0700, nathan r. hruby wrote: > <snip!> > Can you try to make a new story with this text and post it (without a > preview) as exttrans? > Actually the form says "New Story Options:" to indicate they apply only to new stories. It's just a way of being cowardly and avoiding screwed up articles with no undo function. It can easily be changed to apply to both new and edited articles. This might be a good time to talk about extending this to a plugin system to allow other text manipulation. Things like wiki style, BBcode, link annotation, glossary links, etc. The story options already allows extensions like this for the display side I think. But nothing as far as text conversion when saving. Joe > Thanks, > > -n > -- > ------ > nathan hruby > na...@ds... > ------ > |
From: nathan r. h. <na...@ds...> - 2003-05-12 21:36:51
|
On Mon, 12 May 2003, Joe Stewart wrote: > On Mon, May 12, 2003 at 01:13:31PM -0700, nathan r. hruby wrote: > > > > <snip!> > > Can you try to make a new story with this text and post it (without a > > preview) as exttrans? > > > > Actually the form says "New Story Options:" to indicate they apply > only to new stories. It's just a way of being cowardly and avoiding > screwed up articles with no undo function. It can easily be changed > to apply to both new and edited articles. > Heh :) That's what I get for not reading it right! This works for some case but not all (eg: exttrans -> html -> extrans ) conversion would get weird quick. > This might be a good time to talk about extending this to a plugin > system to allow other text manipulation. Things like wiki style, > BBcode, link annotation, glossary links, etc. > backEnd recently got a WikiText and a few other nice things like that. we should look and see if we can steal that ;-) > The story options already allows extensions like this for the > display side I think. But nothing as far as text conversion when > saving. > It could be messy. I don't think there's anythign wrong with with the way it works, other than a lack of a warning in the Modify Story menu. One thing I;d like to do is go through the interface and add additional help text/hints/explinations for various features. things are better now, but still could use some work. This might be better with a simple system that opens a popup window containing help text for the page.. eg: www.foo.com/phpslash/help.php?modifyStory would open up a simple no decorations window and pull some descriptive text either from a file (like the phpslash SGML manual) or database... I think a small script that opens up the manaual and jumps to the correct anchor would be the neatest thing as the script could know where in the manaual we need to go, and all the docs remain int he same place. -n -- ------ nathan hruby na...@ds... ------ |
From: Luis M <le...@ho...> - 2003-05-13 01:26:15
|
>From: "nathan r. hruby" <na...@ds...> >To: Luis M <le...@ho...> >CC: <na...@ds...>, <php...@li...> >Subject: Re: [Phpslash-devel] yet more suggestions for .73... >Date: Mon, 12 May 2003 13:13:31 -0700 (PDT) > > >Hi Luis! > >On Sun, 11 May 2003, Luis M wrote: > > > The code I'm trying to publish is here: > > ftp://ftp.latinomixed.com/downloads/pixdir2html.pl.gz > > > > The only thing I did to that code was to run "cat -n" and save this as a > > .txt file with line numbers like this: > > gunzip pixdir2html.pl.gz > > cat -n pixdir2html.pl > pixdir2html.pl.txt > > > > And then try to use the resulting .txt file to make a new story. > > > >I did this exact same procudure.. comment below > > > I placed a screenshot of a preview story here: > > http://www.latinomixed.com/story-preview-screenshot.jpg > > > >Humm I get something different, but my templates are different from yours. > > > Note that this screenshot shows only the first page of the page, the >page is > > a lot longer than this, and it's all garble all the way up to the end. >Let > > me know if you want to see more of the screen so that I can make more > > screenshots. > > > >The problem I'm seeing is that the resulting preview and story pages will >get odd if you post that perl script as either plaintext or HTML and it >contains HTML that conflicts with the rest of the page (eg head, body, >etc.. tags) when I preview it on my ShankZen derived test install, it >starts getting weird at line 31, and each successive html tag causes >things to get odder. > >The solution to this is to post the story as exttrans the first time you >post it so all of the HTML is translated into the proper entities.. >However, it does appear that posting as plaintext or HTML and then trying >to change the story to exttrans after the fact seems to not work which >is a bug. > >Can you try to make a new story with this text and post it (without a >preview) as exttrans? > Tried that, this is how it "works": 1. post the text to a new story and hit ExtraTrans when saving. When check the story, it looked garbled. So that didn't work. 2. post the story without the code mentioned earlier. then went to "modify" and copy the code to the story body portion. after that hit "extratrans" when previewing (saving it directly didn't work either) and then got a nice preview of how things should work... then I hit save and things get scramble again... @#$@#%. I hit save using both "html" and "extratrans" and neither worked. Obviously this is a bug. ----)(----- Luis Mondesi System Administrator LatinoMixed.com le...@ho... "...The Mac does this so smoothly, it feels like an extension of your mind." - Paula Speer, MacWorld Magazine 2003-04 Public signature: http://www.latinomixed.com/lems1/public-a.asc _________________________________________________________________ MSN Search, le moteur de recherche qui pense comme vous ! http://search.msn.fr/worldwide.asp |
From: nathan r. h. <na...@ds...> - 2003-05-11 20:38:36
|
On Sun, 11 May 2003, Luis M wrote: > >Can you please give a very specific example what exactly you did to > >discover this (including html/exttrans/plain settings, phpversion, > >phpslash version, os version, browser, and a step-by-step regression) > >Does this happen every time? If so I'd like to fix this and get it out > >pronto. > > I believe this is the same for all versions of phpslash since 0.62 up to > 0.72rc1: > > 1. Go to the Admin section > 2. Hit "new" to add a new story > 3. Try to add a story that contains Perl code with hashes defined like: > $myhas{td} . etc... > I have tried this with the current CVS (and current php-lib-stable cvs) using both the nobody user / submission page and as a root user using the story admin page and cannot replicate this behavior using extrans, html or plaintext formats using Safari-b2. Please, what versions of phpslash, phplib and php are you running? Does the above exmaple work exactly as you describe under your environment? Can you take a screengrab of whhat you enter into the page and what the preview looks like? Can you send me the extact text that caused this? > The {td} part of the hashes will mess up the article badly when previewing. > In fact, the whole page gets mumble with all kinds of crazy things. What I > do to fix that is adding spaces between the curly-braces. > Clearly that should not happen. > I don't think this affects the server directly, nor have I try to inject any > type of code to the database. In other words, I'm assuming this cannot be > done and have not tried. In any case, only the users with Admin rights can > add news to the site. So, nothing to worry (right?). > If this is a real bug, it may also affect the submission.php page... > However, I believe that the stories (the text coming from the database to be > displayed as stories) should not be parse as if it was a template or as if > dynamic PHP code was coming from the database... That could create problems. > (It creates problems for people who have sites publishing code, as I do :-) The input stuff should clean() the text before it even gets to the database. the {} construct is also the same for phplib tempalte plcasehoder, AFIK, things that look like {foo} get removed during parsing by the template system and should be additionally fixed by the submission and story classes. Joe probably knows how this works off the top of his head.. -n -- ------ nathan hruby na...@ds... ------ |