| ID |
Date |
Icon |
Author |
Author Email |
Category |
OS |
ELOG Version |
Subject |
|
69262
|
Tue Dec 1 02:12:14 2020 |
 | Harry Martin | harrymartin772@gmail.com | Bug report | Windows | 2.7.7-2246 | Re: Change / List Change doen't work anymore? |
| Stefan Ritt wrote: |
| Holger Mundhahs wrote: | Hello @all,
I'm not sure if this is a bug, but after upgradeing from 2.7.0 to 2.7.7 the Change <attribute> and List Change <attribute> doesn't work anymore. In my .cfg file I've:
In the old ELOG version I've "RIB-Board" as text in the page and the link works well. But now there is the following code generated:
Is the syntax changed from 2.7.0 to 2.7.7? What's the correct syntax for 2.7.7?
|
For security reasons (XSS or cross site scripting) , HTML code in attributes is not allowed by default. To turn it on (and if you know what you are doing), add following line to your configuration
Allow HTML = 1 |
I know this is an old, old thread, but I am trying to use this feature in a recent version of elog (3.1.3). Is there any chance this will ever get fixed, or at least made workable? I tried "Allow HTML = 1", but that did not work. I'd like to be able to use this to link directly to carriers to track packages.
Also, the documentation seemed a bit confusing to me:
| Quote: | Change <attribute> = <string>
Instead of subsituting an attribute, the original attribute can be kept and just the output formatting can be changed. This can be very handy for constructing HTML links out of attributes. Presume that a company has a telephone book reachable under
http://any.company.com/telbook.cgi?search=<name>
where <name> has to be replaced by a search string. Now one can construct an automatic telephonebook lookup with following options:
Attributes = Name, Telephone, ...
Display Telephone = <a href="http://any.company.com/telbook.cgi?search=$Name">$Name's telephone number</a>
The attribute Telephone is now automatically constructed from the attribute Name and consists of a link to the company's telephonebook. The advantage of this system is if the URL of the telephonebook changes one day, only one statement in the config file has to be changed, while otherways (like with the Subst Telephone = ... option) all entries would have to be changed manually. |
The example seems to be using a different syntax ("Display Telephone") rather than the syntax described by the section header ("Change <attribute>...").
Any update to this information would be greatly appreciated. I'm just looking for a workable solution of any kind. Thank you for your continuing fine work. |
|
69263
|
Tue Dec 1 02:39:45 2020 |
| Harry Martin | harrymartin772@gmail.com | Bug report | Windows | 2.7.7-2246 | Re: Change / List Change doen't work anymore? |
| Harry Martin wrote: |
| Stefan Ritt wrote: |
| Holger Mundhahs wrote: | Hello @all,
I'm not sure if this is a bug, but after upgradeing from 2.7.0 to 2.7.7 the Change <attribute> and List Change <attribute> doesn't work anymore. In my .cfg file I've:
In the old ELOG version I've "RIB-Board" as text in the page and the link works well. But now there is the following code generated:
Is the syntax changed from 2.7.0 to 2.7.7? What's the correct syntax for 2.7.7?
|
For security reasons (XSS or cross site scripting) , HTML code in attributes is not allowed by default. To turn it on (and if you know what you are doing), add following line to your configuration
Allow HTML = 1 |
I know this is an old, old thread, but I am trying to use this feature in a recent version of elog (3.1.3). Is there any chance this will ever get fixed, or at least made workable? I tried "Allow HTML = 1", but that did not work. I'd like to be able to use this to link directly to carriers to track packages.
Also, the documentation seemed a bit confusing to me:
| Quote: | Change <attribute> = <string>
Instead of subsituting an attribute, the original attribute can be kept and just the output formatting can be changed. This can be very handy for constructing HTML links out of attributes. Presume that a company has a telephone book reachable under
http://any.company.com/telbook.cgi?search=<name>
where <name> has to be replaced by a search string. Now one can construct an automatic telephonebook lookup with following options:
Attributes = Name, Telephone, ...
Display Telephone = <a href="http://any.company.com/telbook.cgi?search=$Name">$Name's telephone number</a>
The attribute Telephone is now automatically constructed from the attribute Name and consists of a link to the company's telephonebook. The advantage of this system is if the URL of the telephonebook changes one day, only one statement in the config file has to be changed, while otherways (like with the Subst Telephone = ... option) all entries would have to be changed manually. |
The example seems to be using a different syntax ("Display Telephone") rather than the syntax described by the section header ("Change <attribute>...").
Any update to this information would be greatly appreciated. I'm just looking for a workable solution of any kind. Thank you for your continuing fine work. |
I am able to make it work by passing just a plain string constructing the URL. Strange though... before I posted the previous log entry, it didn't work no matter what I tried! Bizarre.
However, it would still be a good idea to update the documentation to clarify things somewhat and bring it up to date with actual usage today. |
|
69264
|
Tue Dec 1 22:57:25 2020 |
| Andreas Luedeke | andreas.luedeke@psi.ch | Bug report | Windows | 2.7.7-2246 | Re: Change / List Change doen't work anymore? |
| Harry Martin wrote: |
| Harry Martin wrote: |
| Stefan Ritt wrote: |
| Holger Mundhahs wrote: | Hello @all,
I'm not sure if this is a bug, but after upgradeing from 2.7.0 to 2.7.7 the Change <attribute> and List Change <attribute> doesn't work anymore. In my .cfg file I've:
In the old ELOG version I've "RIB-Board" as text in the page and the link works well. But now there is the following code generated:
Is the syntax changed from 2.7.0 to 2.7.7? What's the correct syntax for 2.7.7?
|
For security reasons (XSS or cross site scripting) , HTML code in attributes is not allowed by default. To turn it on (and if you know what you are doing), add following line to your configuration
Allow HTML = 1 |
I know this is an old, old thread, but I am trying to use this feature in a recent version of elog (3.1.3). Is there any chance this will ever get fixed, or at least made workable? I tried "Allow HTML = 1", but that did not work. I'd like to be able to use this to link directly to carriers to track packages.
Also, the documentation seemed a bit confusing to me:
| Quote: | Change <attribute> = <string>
Instead of subsituting an attribute, the original attribute can be kept and just the output formatting can be changed. This can be very handy for constructing HTML links out of attributes. Presume that a company has a telephone book reachable under
http://any.company.com/telbook.cgi?search=<name>
where <name> has to be replaced by a search string. Now one can construct an automatic telephonebook lookup with following options:
Attributes = Name, Telephone, ...
Display Telephone = <a href="http://any.company.com/telbook.cgi?search=$Name">$Name's telephone number</a>
The attribute Telephone is now automatically constructed from the attribute Name and consists of a link to the company's telephonebook. The advantage of this system is if the URL of the telephonebook changes one day, only one statement in the config file has to be changed, while otherways (like with the Subst Telephone = ... option) all entries would have to be changed manually. |
The example seems to be using a different syntax ("Display Telephone") rather than the syntax described by the section header ("Change <attribute>...").
Any update to this information would be greatly appreciated. I'm just looking for a workable solution of any kind. Thank you for your continuing fine work. |
I am able to make it work by passing just a plain string constructing the URL. Strange though... before I posted the previous log entry, it didn't work no matter what I tried! Bizarre.
However, it would still be a good idea to update the documentation to clarify things somewhat and bring it up to date with actual usage today. |
You are referring here to a Forum entry for an old ELOG version: this will not be changed, since it was for that old version.
If you want some documentation to be updated, then you should show the documentation part that should be updated. |
|
69265
|
Wed Dec 2 00:43:31 2020 |
| Harry Martin | harrymartin772@gmail.com | Bug report | Windows | 2.7.7-2246 | Re: Change / List Change doen't work anymore? |
| Andreas Luedeke wrote: |
| Harry Martin wrote: |
| Harry Martin wrote: |
| Stefan Ritt wrote: |
| Holger Mundhahs wrote: | Hello @all,
I'm not sure if this is a bug, but after upgradeing from 2.7.0 to 2.7.7 the Change <attribute> and List Change <attribute> doesn't work anymore. In my .cfg file I've:
In the old ELOG version I've "RIB-Board" as text in the page and the link works well. But now there is the following code generated:
Is the syntax changed from 2.7.0 to 2.7.7? What's the correct syntax for 2.7.7?
|
For security reasons (XSS or cross site scripting) , HTML code in attributes is not allowed by default. To turn it on (and if you know what you are doing), add following line to your configuration
Allow HTML = 1 |
I know this is an old, old thread, but I am trying to use this feature in a recent version of elog (3.1.3). Is there any chance this will ever get fixed, or at least made workable? I tried "Allow HTML = 1", but that did not work. I'd like to be able to use this to link directly to carriers to track packages.
Also, the documentation seemed a bit confusing to me:
| Quote: | Change <attribute> = <string>
Instead of subsituting an attribute, the original attribute can be kept and just the output formatting can be changed. This can be very handy for constructing HTML links out of attributes. Presume that a company has a telephone book reachable under
http://any.company.com/telbook.cgi?search=<name>
where <name> has to be replaced by a search string. Now one can construct an automatic telephonebook lookup with following options:
Attributes = Name, Telephone, ...
Display Telephone = <a href="http://any.company.com/telbook.cgi?search=$Name">$Name's telephone number</a>
The attribute Telephone is now automatically constructed from the attribute Name and consists of a link to the company's telephonebook. The advantage of this system is if the URL of the telephonebook changes one day, only one statement in the config file has to be changed, while otherways (like with the Subst Telephone = ... option) all entries would have to be changed manually. |
The example seems to be using a different syntax ("Display Telephone") rather than the syntax described by the section header ("Change <attribute>...").
Any update to this information would be greatly appreciated. I'm just looking for a workable solution of any kind. Thank you for your continuing fine work. |
I am able to make it work by passing just a plain string constructing the URL. Strange though... before I posted the previous log entry, it didn't work no matter what I tried! Bizarre.
However, it would still be a good idea to update the documentation to clarify things somewhat and bring it up to date with actual usage today. |
You are referring here to a Forum entry for an old ELOG version: this will not be changed, since it was for that old version.
If you want some documentation to be updated, then you should show the documentation part that should be updated. |
I have been looking at the documentation at https://elog.psi.ch/elog/config.html#attrib. (See the quoted portion, above.) If there is newer documentation, please post a link for it here. Thank you! |
|
69267
|
Wed Dec 2 11:51:24 2020 |
| Stefan Ritt | stefan.ritt@psi.ch | Bug report | Windows | 2.7.7-2246 | Re: Change / List Change doen't work anymore? | Yepp, the documentation was wrong. I fixed it.
Stefan |
|
69274
|
Thu Dec 3 01:53:59 2020 |
| Harry Martin | harrymartin772@gmail.com | Bug report | Windows | 2.7.7-2246 | Re: Change / List Change doen't work anymore? |
| Stefan Ritt wrote: | Yepp, the documentation was wrong. I fixed it.
Stefan |
Thank you. |
|
69285
|
Thu Dec 31 18:35:19 2020 |
| prinnydood | moltensolderlabs@pm.me | Bug report | Linux | 3.1.3 | Re: Path disclosure on unfound file | I can confirm this issue exists on version 3.1.3, which I have installed elog on Debian 10.
The issue also exists on version 3.14 (1.20190113git283534d97d5a.el7), which I tested on an AmazonLinux EC2 instance.
This is what I found:
1. if I leave out the extension at the end of the URL for a non-existent page, it gives me the red error box. So far so good... Example: /gibberish
2. if I include any random extension at the end of the URL for a non-existent page, it gives me the red error box. So far so good... Example: /gibberish.php or /gibberish.htm or /gibberish.asdfasd
3. if I include any .html extension specifically at the end of the URL for a non-existent page, elog exposes the path /usr/share/elog/themes/default/gibberish.html. This is a bug... Example: /gibberish.html exposes the path, and likewise, /.gibberish.html ( "dot" + gibberish) exposes the path
4. if I include a valid, existent .html file which is located in the directory /usr/share/elog/themes/default/, and call it, elog exposes the html document. Example: I created an html file called gibberish.html (containing <html><body><p>Hello world</p></body></html>) in my system's /usr/share/elog/themes/default/ directory. After navigating back to the /gibberish.html URL, I was presented with the HTML file.
Turning on -v (verbose mode), the response by elogd when accessing these are: "GET /elog/gibberish.html HTTP/1.0 Returned 605 bytes" (displays "Hello world" html file), and "GET /elog/gibberish.asdfasd HTTP/1.0 Returned 605 bytes" (displays red error box).
=====
My guess: the program seems to be caring about the files ONLY if they have html file extension. Please see the screenshots below.
====
What are the security implications? Not much, I think. From what I can tell, exposing the "/usr/share/themes/elog" path, and also exposing the elog version when the file does not exist. Hope this reply helps anyone else with the same question.
(I am sure the error exposing the version can be removed by editing the source code--this is probably beyond my capabilities at this point). |
|
69288
|
Fri Jan 8 13:47:14 2021 |
| Stefan Ritt | stefan.ritt@psi.ch | Bug report | Linux | 3.1.3 | Re: Path disclosure on unfound file | Ok, I fixed the code in the current commit (395e101add19f0fe8a11a25d0822e511f34d94d1). The path gets stripped, and we see a
| prinnydood wrote: |
|
I can confirm this issue exists on version 3.1.3, which I have installed elog on Debian 10.
The issue also exists on version 3.14 (1.20190113git283534d97d5a.el7), which I tested on an AmazonLinux EC2 instance.
This is what I found:
1. if I leave out the extension at the end of the URL for a non-existent page, it gives me the red error box. So far so good... Example: /gibberish
2. if I include any random extension at the end of the URL for a non-existent page, it gives me the red error box. So far so good... Example: /gibberish.php or /gibberish.htm or /gibberish.asdfasd
3. if I include any .html extension specifically at the end of the URL for a non-existent page, elog exposes the path /usr/share/elog/themes/default/gibberish.html. This is a bug... Example: /gibberish.html exposes the path, and likewise, /.gibberish.html ( "dot" + gibberish) exposes the path
4. if I include a valid, existent .html file which is located in the directory /usr/share/elog/themes/default/, and call it, elog exposes the html document. Example: I created an html file called gibberish.html (containing <html><body><p>Hello world</p></body></html>) in my system's /usr/share/elog/themes/default/ directory. After navigating back to the /gibberish.html URL, I was presented with the HTML file.
Turning on -v (verbose mode), the response by elogd when accessing these are: "GET /elog/gibberish.html HTTP/1.0 Returned 605 bytes" (displays "Hello world" html file), and "GET /elog/gibberish.asdfasd HTTP/1.0 Returned 605 bytes" (displays red error box).
=====
My guess: the program seems to be caring about the files ONLY if they have html file extension. Please see the screenshots below.
====
What are the security implications? Not much, I think. From what I can tell, exposing the "/usr/share/themes/elog" path, and also exposing the elog version when the file does not exist. Hope this reply helps anyone else with the same question.
(I am sure the error exposing the version can be removed by editing the source code--this is probably beyond my capabilities at this point).
|
|
|