Re: elog submit without user and password, posted by H. Scheit on Tue Jul 9 15:28:33 2002
|
> > With elog it is possible to submit messages to a password protected
> > logbook without specifying the -u option. I.e. NO PASSWORD is
> > necessary to submit a message. I assume it is related to the problem
> > of expiring password-cookies while entering the message using a web
> > browser.
>
> Indeed this problem is related to the expiring password cookies. As a
> reminder: For the submission of a new entry, the password is checked when
one
> presses the "New" button, but NOT for the "submit". This is because a
> password can expire between the "New" and the "Submit", so a entered message
> could not be sent. The question is now what to do with the standalone
"elog".
>
> Right now, elog does a normal submission where the password is not checked,
> which is maybe not what one wants. But what to do? If elog sends a special
> flag "please do check password on submit", someone could analyze the source
> code, remove the flag from elog and then still submit messages without a
> password. If I put an additional flag to the web browser submission "please
> do not check the password since the cookie might have been expired", someone
> can add this flag into elog and still bypass the password checking.
I guess it cannot and doesn't have to be 100% save. Maybe if the web
interface is used for a new message a long random number (let's call
it newID) can be included, which elog remembers for some time (say 1
day). Now elogd accepts a new message only if
1) the cookies is there and valid or
2) if the cookies are NOT THERE, but the newID matches one of the
stored ones.
The new message is rejected if the cookies are there, but are wrong.
> Anothe thing which bothers me is if you specify the password explicitly on
> the command line of elog, it's visible in some scripts etc, which yould be a
> security issue as well.
Maybe the encoded password should be specified. I use wget to
retrieve some entries automatically over a cron job and with wget
you specify a cookie-file with --cookie-file (or something like
this). The content of this file corresponds to the content of the
netscape cookie file.
>
> Any ideas?
Can one delete or edit messages with elog? If yes then this should not be
possible. |
|
Re: elog submit without user and password, posted by Stefan Ritt on Wed Jul 10 08:53:21 2002
|
> I guess it cannot and doesn't have to be 100% save. Maybe if the web
> interface is used for a new message a long random number (let's call
> it newID) can be included, which elog remembers for some time (say 1
> day). Now elogd accepts a new message only if
>
> 1) the cookies is there and valid or
> 2) if the cookies are NOT THERE, but the newID matches one of the
> stored ones.
>
> The new message is rejected if the cookies are there, but are wrong.
Ok that sounds a good idea to me, I will work on that.
> Can one delete or edit messages with elog? If yes then this should not be
> possible.
No this is not possible. |
a bug and a question, posted by mo on Wed Jul 10 22:19:47 2002
|
If you have only one entry in the logbook and have it set up in threaded
mode like: ?cmd=Search&mode=threaded&reverse=1, when you click on the icon
of the entry or the number of the entry to see it, it does not allow you
to. If there is more than one entry, it works fine.
Also I wanted to make a submit page from where you could either go back
to the logbook which you just entered a message for or type a new entry for
that logbook. First of all, is there a way to have only one file called
submitpage.html in which I can define this for all logbooks or do i need it
for ever logbook. And also, is there a way I can even set a link that will
allow to create a new entry. I tried:
<a href="demo/?cmd=new">Enter</a> another message<p>
but for some reason it does not work. Is there a way to implement this?
Thanks,
Mo |
|
Re: a bug and a question, posted by Stefan Ritt on Thu Jul 11 10:36:09 2002
|
> If you have only one entry in the logbook and have it set up in threaded
> mode like: ?cmd=Search&mode=threaded&reverse=1, when you click on the icon
> of the entry or the number of the entry to see it, it does not allow you
> to. If there is more than one entry, it works fine.
Ok, has been fixed. Will come in 2.0.5
> Also I wanted to make a submit page from where you could either go back
> to the logbook which you just entered a message for or type a new entry for
> that logbook. First of all, is there a way to have only one file called
> submitpage.html in which I can define this for all logbooks or do i need it
> for ever logbook. And also, is there a way I can even set a link that will
> allow to create a new entry. I tried:
> <a href="demo/?cmd=new">Enter</a> another message<p>
>
> but for some reason it does not work. Is there a way to implement this?
The documentation was wrong about that which has been corrected. The proper
file contents should be
<h1>You successfully submitted a message</h1>
<a href="?cmd=Back">Back</a> to the logbook<p>
<a href="?cmd=New">Enter</a> another message
This way one only needs one file for all logbooks. |
|
entry number not updated properly after deleting, posted by mo on Thu Jul 11 15:59:17 2002
|
Hello,
If you delete a message from the middle of a logbook that contains a
bunch of messages, the message numbers do not get updated properly. For
instance, if you have 20 messages in the logbook, and delete number 15,
entry numbers 16 through 20 all do not get subtracted by one; their numbers
stay the same with #15 just missing in the middle.
Mo |
Re: entry number not updated properly after deleting, posted by Stefan Ritt on Thu Jul 11 16:03:56 2002
|
> Hello,
> If you delete a message from the middle of a logbook that contains a
> bunch of messages, the message numbers do not get updated properly. For
> instance, if you have 20 messages in the logbook, and delete number 15,
> entry numbers 16 through 20 all do not get subtracted by one; their numbers
> stay the same with #15 just missing in the middle.
>
> Mo
That's how it's supposed to be. Once a unique message ID is attached to a
message, it stays there forever. Think of links to message like
http://midas.psi.ch/elogdemo/Forum/68
If you have such a link in a message or as a bookmark in your browser, and
the ID gets changed from 68 to 67, then your link would be off. |
|
last x link TEXT, posted by H. Scheit on Fri Jul 12 10:18:21 2002
|
The last x link TEXT now shows up like this
'Last 20 entries?mode=threaded'
I can not reproduce this with the elogdemo logbook, however. |
|
Re: last x link TEXT, posted by Stefan Ritt on Fri Jul 12 10:26:40 2002
|
> The last x link TEXT now shows up like this
>
> 'Last 20 entries?mode=threaded'
>
> I can not reproduce this with the elogdemo logbook, however.
...because it has been fixed in meantime (revision 2.41). I have not made a
new release since I want to fix the elog password submission first. In
meantime, you can get the actual version from
http://midas.psi.ch/cgi-bin/cvsweb/elog/elogd.c |
|