Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG, Page 187 of 806  Not logged in ELOG logo
 Find |  Login |  Help 
 Full | Summary | Threaded | Collapse | Expand  Show only new entries    6445 Entries 
Goto page Previous  1, 2, 3 ... 186, 187, 188 ... 804, 805, 806   Next  
icon5.gif   Is there a way to upload a file in custom input?, posted by Satyajit Jena on Tue Dec 15 14:50:55 2020 

Hi,

I am trying to implement a Custom input forms by following this  https://elog.psi.ch/elogs/Contributions/49. Is there a way to also insert an image or files to it? I want to take a snap from the iPad and want that to go as an attachment or attach a file(s) into the form. Is there a way to do that?

Your suggestions are highly appreciated.

Regards,

sjena

 

    icon2.gif   Re: Is there a way to upload a file in custom input?, posted by Stefan Ritt on Tue Dec 15 15:19:25 2020 

When you submit a "normal" elog entry, you can click on "Choose file" to add an attachment. On a mobile device, you will then be asked to select a photo from your library or take one with your camera. You can do the same on a custom form. You have to extract the code from the normal submissoin form and program it on your custom page. It needs however some work and might not be straight forward.

Stefan

Satyajit Jena wrote:

Hi,

I am trying to implement a Custom input forms by following this  https://elog.psi.ch/elogs/Contributions/49. Is there a way to also insert an image or files to it? I want to take a snap from the iPad and want that to go as an attachment or attach a file(s) into the form. Is there a way to do that?

Your suggestions are highly appreciated.

Regards,

sjena

 

 

    icon2.gif   Re: Is there a way to upload a file in custom input?, posted by Satyajit Jena on Tue Dec 15 17:41:57 2020 

Thanks Stefan,

I am not yet able to figure out how attachment submission is done, I am trying. It would be helpful if you can refer me to some pointer.

With regards,

satyajit

Stefan Ritt wrote:

When you submit a "normal" elog entry, you can click on "Choose file" to add an attachment. On a mobile device, you will then be asked to select a photo from your library or take one with your camera. You can do the same on a custom form. You have to extract the code from the normal submissoin form and program it on your custom page. It needs however some work and might not be straight forward.

Stefan

Satyajit Jena wrote:

Hi,

I am trying to implement a Custom input forms by following this  https://elog.psi.ch/elogs/Contributions/49. Is there a way to also insert an image or files to it? I want to take a snap from the iPad and want that to go as an attachment or attach a file(s) into the form. Is there a way to do that?

Your suggestions are highly appreciated.

Regards,

sjena

 

 

 

icon5.gif   Different Top Groups or Groups have the same logbook name , posted by MATT TERRON on Tue Feb 2 04:01:21 2021 

I have built different top groups for different departments. But occasionally these different top groups have the same logbook name, say 'Maintenance Log'. So is there a way I can have the same logbook name under different 'Top Groups', rather than rename these logbooks as 'Department1 Maintenance Log' all the way to 'Department_X Maintenance Log'?

    icon2.gif   Re: Different Top Groups or Groups have the same logbook name , posted by Stefan Ritt on Tue Feb 2 07:43:49 2021 

Unfortunately you have to name these top groups differently, because they are internally used for the database name.

MATT TERRON wrote:

I have built different top groups for different departments. But occasionally these different top groups have the same logbook name, say 'Maintenance Log'. So is there a way I can have the same logbook name under different 'Top Groups', rather than rename these logbooks as 'Department1 Maintenance Log' all the way to 'Department_X Maintenance Log'?

 

    icon2.gif   Re: Different Top Groups or Groups have the same logbook name , posted by MATT TERRON on Tue Feb 2 08:17:15 2021 

So both Top Group names and Logbook names should be unique inside one .cfg file, is that correct?

Stefan Ritt wrote:

Unfortunately you have to name these top groups differently, because they are internally used for the database name.

MATT TERRON wrote:

I have built different top groups for different departments. But occasionally these different top groups have the same logbook name, say 'Maintenance Log'. So is there a way I can have the same logbook name under different 'Top Groups', rather than rename these logbooks as 'Department1 Maintenance Log' all the way to 'Department_X Maintenance Log'?

 

 

    icon2.gif   Re: Different Top Groups or Groups have the same logbook name , posted by Stefan Ritt on Tue Feb 2 08:25:46 2021 

That's correct.

Stefan Ritt wrote:

Unfortunately you have to name these top groups differently, because they are internally used for the database name.

MATT TERRON wrote:

I have built different top groups for different departments. But occasionally these different top groups have the same logbook name, say 'Maintenance Log'. So is there a way I can have the same logbook name under different 'Top Groups', rather than rename these logbooks as 'Department1 Maintenance Log' all the way to 'Department_X Maintenance Log'?

 

 

    icon2.gif   Re: Path disclosure on unfound file, posted by Gabriel Lopez on Wed Feb 3 17:28:16 2021 

Hello, This is coming up as a high vulnerability in our scans. Are there plans to update the rpm for this fix? If so is there an ETA? Any update would be much appreciated. Currently running elog-3.1.4-2 

Stefan Ritt wrote:

Ok, I fixed the code in the current commit (395e101add19f0fe8a11a25d0822e511f34d94d1). The path gets stripped, and we see a

prinnydood wrote:

I can confirm this issue exists on version 3.1.3, which I have installed elog on Debian 10.

The issue also exists on version 3.14 (1.20190113git283534d97d5a.el7), which I tested on an AmazonLinux EC2 instance.

This is what I found:

1. if I leave out the extension at the end of the URL for a non-existent page, it gives me the red error box. So far so good... Example: /gibberish

2. if I include any random extension at the end of the URL for a non-existent page, it gives me the red error box. So far so good... Example: /gibberish.php or /gibberish.htm or /gibberish.asdfasd

3. if I include any .html extension specifically at the end of the URL for a non-existent page, elog exposes the path /usr/share/elog/themes/default/gibberish.html. This is a bug... Example: /gibberish.html exposes the path, and likewise, /.gibberish.html ( "dot" + gibberish) exposes the path

4. if I include a valid, existent .html file which is located in the directory /usr/share/elog/themes/default/, and call it, elog exposes the html document. Example: I created an html file called gibberish.html (containing <html><body><p>Hello world</p></body></html>) in my system's /usr/share/elog/themes/default/ directory. After navigating back to the /gibberish.html URL, I was presented with the HTML file.

Turning on -v (verbose mode), the response by elogd when accessing these are: "GET /elog/gibberish.html HTTP/1.0 Returned 605 bytes" (displays "Hello world" html file), and "GET /elog/gibberish.asdfasd HTTP/1.0 Returned 605 bytes" (displays red error box).

=====

My guess: the program seems to be caring about the files ONLY if they have html file extension. Please see the screenshots below.

====

What are the security implications? Not much, I think. From what I can tell, exposing the "/usr/share/themes/elog" path, and also exposing the elog version when the file does not exist. Hope this reply helps anyone else with the same question.

(I am sure the error exposing the version can be removed by editing the source code--this is probably beyond my capabilities at this point).

 

 

Goto page Previous  1, 2, 3 ... 186, 187, 188 ... 804, 805, 806   Next  
ELOG V3.1.5-3fb85fa6