Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG, Page 695 of 808  Not logged in ELOG logo
 Find |  Login |  Help 
 Full | Summary | Threaded | Hide attachments  Show all entries    6460 Entries 
Goto page Previous  1, 2, 3 ... 694, 695, 696 ... 806, 807, 808   Next  
ID Date Icon Author Author Email Category OSdown ELOG Version Subject
  66314   Tue Apr 14 22:51:15 2009 Warning Simon Pattonsjpatton@lbl.govBug fixAll2.7.6Long cookie content is not handled properly.
I discovered the infinite loop in 2.7.5 which can happen when a cookie's content is longer that the cookie array
designed to hold it. I also note that this issue has been addressed in 2.7.6, but the solution does not appear
to be correct and it can end up completely confusing the cookie extraction.

In 2.7.5 the code was:
    for (i = 0; *p && *p != ';' && *p != '\r' && *p != '\n' ; )
        if (i < (int) sizeof(cookie)-1)
            cookie[i++] = *p++;

While in 2.7.6 is became:
    for (i = 0; *p && *p != ';' && *p != '\r' && *p != '\n';)
        if (i < (int) sizeof(cookie) - 1)
            cookie[i++] = *p++;
        else
            break;

This leaves 'p' pointing to the middle of the cookie's content and I can not see that this is corrected in the loop (sorry if I've missed that).

The solution I used to patch 2.7.5 was the following:
    for (i = 0; *p && *p != ';' && *p != '\r' && *p != '\n' ; ++p)
        if (i < (int) sizeof(cookie)-1)
            cookie[i++] = *p;

which simply truncates the contents of the cookie (which is assumed not to be an elogd cookie) but leaves 'p' in the right place to extract the next one.
  66315   Wed Apr 15 09:26:37 2009 Reply Stefan Rittstefan.ritt@psi.chBug fixAll2.7.6Re: Long cookie content is not handled properly.

Simon Patton wrote:
I discovered the infinite loop in 2.7.5 which can happen when a cookie's content is longer that the cookie array
designed to hold it. I also note that this issue has been addressed in 2.7.6, but the solution does not appear
to be correct and it can end up completely confusing the cookie extraction.

In 2.7.5 the code was:
    for (i = 0; *p && *p != ';' && *p != '\r' && *p != '\n' ; )
        if (i < (int) sizeof(cookie)-1)
            cookie[i++] = *p++;

While in 2.7.6 is became:
    for (i = 0; *p && *p != ';' && *p != '\r' && *p != '\n';)
        if (i < (int) sizeof(cookie) - 1)
            cookie[i++] = *p++;
        else
            break;

This leaves 'p' pointing to the middle of the cookie's content and I can not see that this is corrected in the loop (sorry if I've missed that).

The solution I used to patch 2.7.5 was the following:
    for (i = 0; *p && *p != ';' && *p != '\r' && *p != '\n' ; ++p)
        if (i < (int) sizeof(cookie)-1)
            cookie[i++] = *p;

which simply truncates the contents of the cookie (which is assumed not to be an elogd cookie) but leaves 'p' in the right place to extract the next one.


You're absolutely right about that. I incorporated your patch into revision #2192.
  66320   Wed Apr 15 17:57:19 2009 Question Dennis Seitzdenseitz@comcast.netQuestionAll2.7.5Config so that users can delete only their own entries?
I've tried

Deny_Delete = All
Allow Delete = $author

and just
Allow Delete = $author

But either users can delete anyone's entries, or they can't delete any entries.

Am I missing something? If not, can you add the capability to allow users to delete, but only their own entries?

Thanks as usual for a great piece of code!
  66321   Thu Apr 16 08:34:03 2009 Reply Stefan Rittstefan.ritt@psi.chQuestionAll2.7.5Re: Config so that users can delete only their own entries?

Dennis Seitz wrote:
I've tried

Deny_Delete = All
Allow Delete = $author

and just
Allow Delete = $author

But either users can delete anyone's entries, or they can't delete any entries.

Am I missing something? If not, can you add the capability to allow users to delete, but only their own entries?

Thanks as usual for a great piece of code!


You cannot put $author into any Allow or Deny option, only explicit login names (not "full" names). What you want however is
Restrict Edit = 1

which lets only the original author either delete or edit entries. If you use that option, you probably want as well
Preset Author = $long_name
Preset on reply Author = $long_name
Preset on duplicate Author = $long_name
Locked Attributes = Author

So a user cannot pretend to be somebody else. You also need a valid "admin user = ..." statement. Note that the admin user always can delete/edit entries. If no admin user is defined, everybody has automatically admin rights, so Restrict Edit has no effect.
  66323   Sat Apr 18 00:33:53 2009 Reply Dennis Seitzdseitz@berkeley.eduQuestionAll2.7.5Re: Config so that users can delete only their own entries?
Thanks for reminding me of that, it will do fine. A suggestion: Separate Restrict Edit into Restrict Edit and Restrict Delete or some functional equivalent. Then we have the choice to restrict one or the other or both. Is that worth doing?


Stefan Ritt wrote:

Dennis Seitz wrote:
I've tried

Deny_Delete = All
Allow Delete = $author

and just
Allow Delete = $author

But either users can delete anyone's entries, or they can't delete any entries.

Am I missing something? If not, can you add the capability to allow users to delete, but only their own entries?

Thanks as usual for a great piece of code!


You cannot put $author into any Allow or Deny option, only explicit login names (not "full" names). What you want however is
Restrict Edit = 1

which lets only the original author either delete or edit entries. If you use that option, you probably want as well
Preset Author = $long_name
Preset on reply Author = $long_name
Preset on duplicate Author = $long_name
Locked Attributes = Author

So a user cannot pretend to be somebody else. You also need a valid "admin user = ..." statement. Note that the admin user always can delete/edit entries. If no admin user is defined, everybody has automatically admin rights, so Restrict Edit has no effect.
  66346   Tue May 5 01:47:36 2009 Question Rich Sterlingrbsterli@juno.comQuestionAll2.7.6Office 2007 file attachments download as zip due to mime config

Submitted as a question because some folks may consider this a bug in IE (but not MS obviously because IE8 does the same).  When you upload a new open XML attachment (Office 2007 file extension, docx, ppts, xlsx, etc) the attachment is not recognized properly in IE and it tries to download as a zip file (since the OOXML is actually is a zipped set of XML docs).  This is something that is widely recognized on the Internet ( http://www.google.com/search?hl=en&q=docx+internet+explorer+zip&aq=1&oq=docx+internet ) but is typically resolved by adding the mime extensions at the web server level. 

Are there any plans to add the new mime extensions to the elogd.c source? (Instead of forcing users to use FireFox or Right click, save-as and rename?

http://www.bram.us/2007/05/25/office-2007-mime-types-for-iis/

Regards,

rbsterli

   {
   ".AI", "application/postscript"}, {
   ".ASC", "text/plain"}, {
   ".BZ2", "application/x-bzip2"}, {
   ".CFG", "text/plain"}, {
   ".CHRT", "application/x-kchart"}, {
   ".CONF", "text/plain"}, {
   ".CSH", "application/x-csh"}, {
   ".CSS", "text/css"}, {
   ".DOC", "application/msword"}, {
   ".DVI", "application/x-dvi"}, {
   ".EPS", "application/postscript"}, {
   ".GIF", "image/gif"}, {
   ".GZ", "application/x-gzip"}, {
   ".HTM", "text/html"}, {
   ".HTML", "text/html"}, {
   ".ICO", "image/x-icon"}, {
   ".JPEG", "image/jpeg"}, {
   ".JPG", "image/jpeg"}, {
   ".JS", "application/x-javascript"}, {
   ".KPR", "application/x-kpresenter"}, {
   ".KSP", "application/x-kspread"}, {
   ".KWD", "application/x-kword"}, {
   ".MP3", "audio/mpeg"}, {
   ".OGG", "application/x-ogg"}, {
   ".PDF", "application/pdf"}, {
   ".PNG", "image/png"}, {
   ".PS", "application/postscript"}, {
   ".RAM", "audio/x-pn-realaudio"}, {
   ".RM", "audio/x-pn-realaudio"}, {
   ".RM", "audio/x-pn-realaudio"}, {
   ".RM", "audio/x-pn-realaudio"}, {
   ".RPM", "application/x-rpm"}, {
   ".RTF", "application/rtf"}, {
   ".SH", "application/x-sh"}, {
   ".TAR", "application/x-tar"}, {
   ".TCL", "application/x-tcl"}, {
   ".TEX", "application/x-tex"}, {
   ".TGZ", "application/x-gzip"}, {
   ".TIF", "image/tiff"}, {
   ".TIFF", "image/tiff"}, {
   ".TXT", "text/plain"}, {
   ".WAV", "audio/x-wav"}, {
   ".XLS", "application/x-msexcel"}, {
   ".XML", "text/xml"}, {
   ".XSL", "text/xml"}, {
   ".ZIP", "application/x-zip-compressed"},

Attachment 1: TEST_IN_DOC_FORMAT.doc
Attachment 2: TEST_IN_DOCX_FORMAT.docx
  66347   Wed May 6 15:30:24 2009 Reply Stefan Rittstefan.ritt@psi.chQuestionAll2.7.6Re: Office 2007 file attachments download as zip due to mime config
Rich Sterling wrote:

Are there any plans to add the new mime extensions to the elogd.c source? (Instead of forcing users to use FireFox or Right click, save-as and rename?

 

 Ok, I added the MIME extensions in ELOG Rev. 2196. The forum runs already the updated version, so can you try with the demo attachments from your entry?

  66355   Thu May 7 13:35:32 2009 Reply Rich Sterlingrbsterli@juno.comQuestionAll2.7.6Re: Office 2007 file attachments download as zip due to mime config

Stefan Ritt wrote:
Rich Sterling wrote:

Are there any plans to add the new mime extensions to the elogd.c source? (Instead of forcing users to use FireFox or Right click, save-as and rename?

 

 Ok, I added the MIME extensions in ELOG Rev. 2196. The forum runs already the updated version, so can you try with the demo attachments from your entry?

 It looks good from here!  Thanks!!

Best Regards,

Rich

Goto page Previous  1, 2, 3 ... 694, 695, 696 ... 806, 807, 808   Next  
ELOG V3.1.5-3fb85fa6