From: <php...@li...> - 2002-11-16 21:42:32
|
I noticed some stangeness while coding today. While posting a form in FatCat, I was forced back to the index.php page. When I try to list the $_POST array, it is empty. I turned off redirection in Opera to see if I was hitting a header, but it didn't seem to be the problem. I also checked some common header redirections but they came up negative as well. There were two places where it would blank out: pagemaster and fatcat. The shared characteristic of both was they were using a multipart forms. Other forms submissions ran just fine. If someone could test the current CVS so I will know it is not the code, I would appreciate it. I am GUESSING that this is a characteristic of 4.1.2. I know some people have been complaining about getting blank screens when they try to post the main page. This would make sense now as only pagemaster and fatcat use multiforms. If this is the case, we will need to bump the requirements up to 4.2.0 (or 4.2.2) from 4.1.2. I can't test a higher version of php until I can get to work Monday. Thanks, Matt Matthew McNaney Internet Systems Architect Electronic Student Services Email: ma...@tu... URL: http://phpwebsite.appstate.edu Phone: 828-262-6493 ICQ: 141057403 |
From: <php...@li...> - 2002-11-17 17:24:57
|
> I noticed some stangeness while coding today. Update: I reinstalled phpWS at work without a problem. After a little research, I found out this is an old issue. Multiport forms had security issues in < 4.1.2. This version was a bug fix for a security issue. I believe I might have file_uploads disabled at my home station but it is odd that the form is destroyed instead of just not allowing the file transfer. In any case, I need a recommendation. Should setup check for a deactivated file_uploads setting? Should we code forms to check this variable before adding the multipart parameter? Should we force the a version check > 4.2.2 (the secure version)? Personally, I am going to vote +1 for 4.2.2 or higher. I don't want to support a version that can be hacked just as we are releasing are newest code. The downside is, of course, the groaning of people we force to upgrade. I would also perform a check on the file_upload setting during install. Let me hear what you think. Matt Matthew McNaney Internet Systems Architect Electronic Student Services Email: ma...@tu... URL: http://phpwebsite.appstate.edu Phone: 828-262-6493 ICQ: 141057403 |
From: <php...@li...> - 2002-11-17 17:46:27
|
On Sun, 2002-11-17 at 09:24, php...@li... wrote: > Should we force the a version check > 4.2.2 (the secure version)? > > Personally, I am going to vote +1 for 4.2.2 or higher. I don't want to > support a version that can be hacked just as we are releasing are newest > code. The downside is, of course, the groaning of people we force to > upgrade. I would also perform a check on the file_upload setting during > install. +1 to 4.2.2 or higher, provided we can get SourceForge to update from 4.1.2. SourceForge phpinfo() PHP Version 4.1.2 PHP Core Directive Local Value Master Value file_uploads 1 1 Unfortunately, the file_uploads value can only be specified in php.ini. However, the default is 1. ref. http://www.php.net/manual/en/function.ini-set.php Name Default Changeable file_uploads "1" PHP_INI_SYSTEM -- Mike Noyes <mhnoyes at users.sourceforge.net> http://sourceforge.net/users/mhnoyes/ http://leaf-project.org/ http://sitedocs.sf.net/ http://ffl.sf.net/ |
From: <php...@li...> - 2002-11-18 19:10:26
|
+1 on requiring php v4.2.2, I think this is definately a much better approach then putting in code to patch a vulnerable version of php. Steven >> I noticed some stangeness while coding today. > > Update: I reinstalled phpWS at work without a problem. > > After a little research, I found out this is an old issue. Multiport > forms had security issues in < 4.1.2. This version was a bug fix for a > security issue. > > I believe I might have file_uploads disabled at my home station but it > is odd that the form is destroyed instead of just not allowing the file > transfer. > > In any case, I need a recommendation. > > Should setup check for a deactivated file_uploads setting? > > Should we code forms to check this variable before adding the multipart > parameter? > > Should we force the a version check > 4.2.2 (the secure version)? > > Personally, I am going to vote +1 for 4.2.2 or higher. I don't want to > support a version that can be hacked just as we are releasing are newest > code. The downside is, of course, the groaning of people we force to > upgrade. I would also perform a check on the file_upload setting during > install. > > Let me hear what you think. > Matt > > > Matthew McNaney > Internet Systems Architect > Electronic Student Services > Email: ma...@tu... > URL: http://phpwebsite.appstate.edu > Phone: 828-262-6493 > ICQ: 141057403 > > > > > ------------------------------------------------------- > This sf.net email is sponsored by: To learn the basics of securing your > web site with SSL, click here to get a FREE TRIAL of a Thawte Server > Certificate: http://www.gothawte.com/rd524.html > _______________________________________________ > Phpwebsite-developers mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phpwebsite-developers -- Steven Levin Electronic Student Services Appalachian State University Phone: 828.262.2431 PhpWebsite Development Team URL: http://phpwebsite.appstate.edu Email: st...@NO... |
From: <php...@li...> - 2002-11-18 20:00:54
|
+1 on 4.2.2 or higher. > +1 on requiring php v4.2.2 >> Personally, I am going to vote +1 for 4.2.2 or higher. -- Brian W. Brown Director, Electronic Student Services Room 269, John Thomas Hall Appalachian State University Boone, NC 28608 vox: 828-262-7124 fax: 828-262-2585 http://ess.appstate.edu/ http://phpwebsite.appstate.edu/ http://lug.appstate.edu/ |
From: <php...@li...> - 2002-11-18 20:15:27
|
+1 to 4.2.2 or higher. On Mon, 18 Nov 2002 php...@li... wrote: > +1 on 4.2.2 or higher. > > > +1 on requiring php v4.2.2 > > >> Personally, I am going to vote +1 for 4.2.2 or higher. > > |
From: <php...@li...> - 2002-11-18 20:16:03
|
If I may vote ;-)? +1 on 4.2.2 or higher. >>> Personally, I am going to vote +1 for 4.2.2 or higher. Yves Malouin --------------------------------------------- Malouin Design Graphique --------------------------------------------- http://www.malouin.qc.ca Cap-Rouge, (Qu=E9bec) CANADA |