Menu
▾
▴
phpwebsite-developers
|
From: Jim W. <spi...@us...> - 2005-02-26 15:23:13
|
I hope your branches are still working (Or how about the most basic regression testing before comitting to cvs and announcing fixes on the internet ;-)) An easy one to miss and glad I remembered to check this time! The following edit around line 163 or so will fix it: Change require_once './core/Debug.php'; to require_once $hub_dir . '/core/Debug.php'; Otherwise patch works great. Thanks for the quick fix on this. Best regards, Jim Wilson From: Matthew McNaney > > We have created an updated patch. > http://phpwebsite.appstate.edu/downloads/security/phpws_files_security_p atch.tgz > > It contains the search fix and a new function in the index.php that > scrubs ANY uploaded file. This fix should work for all modules. > > The calendar and announcement patch file are still on the site. > > Thank you for your patience with this issue. > > -- > Matthew McNaney > Electronic Student Services > Appalachian State University > http://phpwebsite.appstate.edu |
|
From: Jim W. <spi...@us...> - 2005-02-27 18:23:11
|
Hi Wendall, Sure I know all this having written many bugs myself. The "wink" modicon and=20 reference to "most basic" was just to say maybe simply trying to access a branch=20 site once would've caught it. But I also said, "An easy one to miss and glad I remembered to check this time!" In fact I mistyped the recommended fix in my=20 earlier email! It was incorrect and did not match what I actually did to the code here. Mistakes happen. BTW...for readers...the correction is elsewhere in this thread. So no criticism intended. In fact as I said before, the quick response on this=20 issue is very much appreciated. Thanks, Jim > From: wendall >=20 > Jim, >=20 > The issue was that somebody posted this exploit to a public list without > letting the development team know. When things like this happen, > regression testing isn't possible. Unless you'd like to wait a few days > for security releases that are in the wild. Regression testing is fine for > normal things. All fixes are announced on the internet as well. Either > through the bug tracker on sf.net or with new releases. Spend the time and > write all regression tests and I'm sure they'd be considered. If you > understand the nature of cvs commits, you'd know that only released code > gets tested. The cvs repository can and often contains bugs. Or sometimes > doesn't work at all. The primary purpose of cvs isn't for building > functional code. That's what release processes are for. There will have to > be alot more testing on the latest fix before it is finalized. It was a > hack to get things protected for users. There will be more work on this > and a more formally tested release given. >=20 > Wendall >=20 > > On Sat, 2005-02-26 at 07:21, Jim Wilson wrote: > >> how about the most basic regression testing before comitting to cvs and > >> announcing fixes on the internet > > > > Jim, > > I've advocated Unit Testing for that, but the developers don't think > > it's a worthwhile idea. > > > > > > Functional testing, Performance testing, HTML testing, and PHP > > testing > > > > http://opensourcetesting.org/ > > > > -- > > Mike Noyes <mhnoyes at users.sourceforge.net> > > http://sourceforge.net/users/mhnoyes/ > > SF.net Projects: ffl, leaf, phpwebsite, phpwebsite-comm, sitedocs > > > > > > > > ------------------------------------------------------- > > SF email is sponsored by - The IT Product Guide > > Read honest & candid reviews on hundreds of IT Products from real users. > > Discover which products truly live up to the hype. Start reading now. > > http://ads.osdn.com/?ad_id=3D6595&alloc_id=3D14396&op=3Dclick > >=20 > > Phpwebsite-developers mailing list > > Php...@li... > > https://lists.sourceforge.net/lists/listinfo/phpwebsite-developers > > >=20 >=20 >=20 >=20 > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. Start reading now. > http://ads.osdn.com/?ad_ide95&alloc_id=14396&op=CCk >=20 > Phpwebsite-developers mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phpwebsite-developers >=20 |
|
From: Mike N. <mh...@us...> - 2005-02-26 17:56:16
|
On Sat, 2005-02-26 at 07:21, Jim Wilson wrote:
> how about the most basic regression testing before comitting to cvs and
> announcing fixes on the internet
Jim,
I've advocated Unit Testing for that, but the developers don't think
it's a worthwhile idea.
Functional testing, Performance testing, HTML testing, and PHP
testing
http://opensourcetesting.org/
--
Mike Noyes <mhnoyes at users.sourceforge.net>
http://sourceforge.net/users/mhnoyes/
SF.net Projects: ffl, leaf, phpwebsite, phpwebsite-comm, sitedocs
|
|
From: <wen...@to...> - 2005-02-27 02:39:34
|
Jim, The issue was that somebody posted this exploit to a public list without letting the development team know. When things like this happen, regression testing isn't possible. Unless you'd like to wait a few days for security releases that are in the wild. Regression testing is fine fo= r normal things. All fixes are announced on the internet as well. Either through the bug tracker on sf.net or with new releases. Spend the time an= d write all regression tests and I'm sure they'd be considered. If you understand the nature of cvs commits, you'd know that only released code gets tested. The cvs repository can and often contains bugs. Or sometimes doesn't work at all. The primary purpose of cvs isn't for building functional code. That's what release processes are for. There will have t= o be alot more testing on the latest fix before it is finalized. It was a hack to get things protected for users. There will be more work on this and a more formally tested release given. Wendall > On Sat, 2005-02-26 at 07:21, Jim Wilson wrote: >> how about the most basic regression testing before comitting to cvs an= d >> announcing fixes on the internet > > Jim, > I've advocated Unit Testing for that, but the developers don't think > it's a worthwhile idea. > > > Functional testing, Performance testing, HTML testing, and PHP > testing > > http://opensourcetesting.org/ > > -- > Mike Noyes <mhnoyes at users.sourceforge.net> > http://sourceforge.net/users/mhnoyes/ > SF.net Projects: ffl, leaf, phpwebsite, phpwebsite-comm, sitedocs > > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real users= . > Discover which products truly live up to the hype. Start reading now. > http://ads.osdn.com/?ad_id=3D6595&alloc_id=3D14396&op=3Dclick > _______________________________________________ > Phpwebsite-developers mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phpwebsite-developers > |
|
From: Ken N. <ke...@co...> - 2005-02-27 15:03:26
|
On Sat, 2005-02-26 at 10:21 -0500, Jim Wilson wrote: <snip> > Change > require_once './core/Debug.php'; > to > require_once $hub_dir . '/core/Debug.php'; </snip> The change should actually be: require_once $hub_dir . 'core/Debug.php'; Sans the leading / in front of core. Regards, Ken -- Ken Nordquist "Community Marketing for the Next Generation" Call Us Toll Free: 866-621-4043 http://communitygems.com |
|
From: Matthew M. <ma...@tu...> - 2005-02-28 13:59:18
|
Remove it entirely. This was left in by accident during testing. On Sat, 2005-02-26 at 10:21 -0500, Jim Wilson wrote: > I hope your branches are still working (Or how about the most basic > regression > testing before comitting to cvs and announcing fixes on the internet > ;-)) > > An easy one to miss and glad I remembered to check this time! The > following > edit around line 163 or so will fix it: > > Change > > require_once './core/Debug.php'; > > to > require_once $hub_dir . '/core/Debug.php'; > > > Otherwise patch works great. Thanks for the quick fix on this. > > Best regards, > > Jim Wilson > > > From: Matthew McNaney > > > > We have created an updated patch. > > > http://phpwebsite.appstate.edu/downloads/security/phpws_files_security_p > atch.tgz > > > > It contains the search fix and a new function in the index.php that > > scrubs ANY uploaded file. This fix should work for all modules. > > > > The calendar and announcement patch file are still on the site. > > > > Thank you for your patience with this issue. > > > > -- > > Matthew McNaney > > Electronic Student Services > > Appalachian State University > > http://phpwebsite.appstate.edu > > > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. Start reading now. > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > _______________________________________________ > Phpwebsite-developers mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phpwebsite-developers -- Matthew McNaney Electronic Student Services Appalachian State University http://phpwebsite.appstate.edu |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X