| ID |
Date |
Icon |
Author |
Author Email |
Category |
OS |
ELOG Version |
Subject |
|
67885
|
Wed May 6 17:35:14 2015 |
 | Bruce Bush | bruce_bush@sil.org | Bug report | Linux | 3.10.2 | Path disclosure on unfound file | Greetings,
Running elog 3.1.0 on CentOS 6.6. When I try to access a nonexistent file, elog reveals a path in the 404 page. For example:
Not Found
The requested file /usr/local/elog/themes/default/blortblortblort7854.htm was not found on this server
ELOG version 3.1.0
Is there any way to use a custom 404 page with elog, or to make it stop displaying the file information?
Thank you,
bb
|
|
67884
|
Wed May 6 15:13:11 2015 |
 | Christof Hanke | hanke@rzg.mpg.de | Bug fix | All | 3.1.0 | parse a correctly the username in save_user_config when using Webserver authentication | Hi Stefan,
When we use Webserver authentication, we have the correct username already in the variable http_user.
The old way of copying this http_user to "user" is wrong since we don't use the size of http_user.
Instead, just encode the http_user variable directly.
See attached patch against git HEAD.
Christof
|
| Attachment 1: parse_http_user_correctly.patch
|
diff --git a/src/elogd.c b/src/elogd.c
index 601639c..de4734b 100755
--- a/src/elogd.c
+++ b/src/elogd.c
@@ -13142,12 +13142,13 @@ int save_user_config(LOGBOOK * lbs, char *user, BOOL new_user)
/* if we outsourced the authentication, use external username */
getcfg(lbs->name, "Authentication", str, sizeof(str));
- if ( stristr(str, "Webserver")) {
- strlcpy(user, http_user, sizeof(user));
- }
/* do not allow HTML in user name */
- strencode2(user_enc, user, sizeof(user_enc));
+ if ( stristr(str, "Webserver")) {
+ strencode2(user_enc, http_user, sizeof(user_enc));
+ } else {
+ strencode2(user_enc, user, sizeof(user_enc));
+ }
/* check for user name */
if (!isparam("new_user_name") || *getparam("new_user_name") == 0) {
|
|
67883
|
Wed May 6 12:31:04 2015 |
 | Christof Hanke | hanke@rzg.mpg.de | Comment | All | 3.1.0 | Documentation of the webserver authentication | Hi Stefan,
here is a draft of how you could describe the webserver authentication in your docs.
T/Christof |
| Attachment 1: webserver_auth_doc.patch
|
diff --git a/doc/adminguide.html b/doc/adminguide.html
index da25388..0568ae3 100755
--- a/doc/adminguide.html
+++ b/doc/adminguide.html
@@ -243,6 +243,37 @@ URL = http://your.proxy.host/subdir/
into elogd.cfg.<p>
+<h3><hr><i>Using apache authentication:</i></h3>
+It is also possible to login via an apache-auth module.
+In elogd.cfg you should use the keyword "Webserver" for Authentication:
+
+<ul><pre>
+Authentication = Webserver
+</pre></ul>
+This triggers elogd to use the environment variable "X-Forwarded-User" as the logged in user.
+A simple example of a apache configuration (including the proxy) is :
+<ul><pre>
+# this required to pass on the generated env-variable X-Forwarded-User to the proxy
+ProxyPassInterpolateEnv On
+
+ProxyPass /elog/ http://your.host.domain:8080/
+
+<Location "/elog">
+ Order allow,deny
+ Allow from all
+ AuthType Basic
+ AuthName "elog-server"
+ AuthUserFile "/opt/elog/htpasswd"
+ require valid-user
+ RequestHeader unset Authorization
+ RequestHeader add X-Forwarded-User %{REMOTE_USER}s
+ # elog doesn't like the '@', so we need to cut it
+ RequestHeader edit X-Forwarded-User "@(.*)$" ""
+</Location>
+</pre></ul>
+
+
+
<hr><a name="imagemagick"> <div class=section> Installing ImageMagick </div> <p>
When images are attached to ELOG entries, thumbnails can be created for quick preview.
This works also for PDF and PostScript files. ELOG forwards any image operation
diff --git a/doc/config.html b/doc/config.html
index 9848f58..9e98855 100755
--- a/doc/config.html
+++ b/doc/config.html
@@ -2207,6 +2207,22 @@ Options Location = Main Building{a}, New Building{b}, Old Building{c}
you have to change your password by other means (such as via the Windows
login if you use a Windows Domain).
</p>
+ <p>
+ Beside the Kerberos authentication, elogd version 3.0 and higher can be configured to accept a authentication done
+ by the webserver.
+ <ul>
+ <li>
+ <b><code>Authentication = Webserver</code></b>
+ </li>
+ </ul>
+ </p>
+ <p>
+ You can also combine it with other authentication methods as shown for Kerberos.
+ </p>
+ <p>
+ Elogd is then accepting the username set in the Request-Header "X-Forwarded-User" as already logged in.<br/>
+ To make this work, you need to configure the webserver correctly, as describe in the adminguide.
+ </p>
<p>
<a name="email" id="email"></a>
|
|
67882
|
Wed May 6 11:00:14 2015 |
 | Christof Hanke | hanke@rzg.mpg.de | Request | All | 3.1.0 | logout to external page | Hi Stefan,
I am happy to see that you include the webserver authentication.
So I can now login at some other page and then access elog.
However, I would also need some means of logging out some where else.
For this I propose a new Configuration option "Logout to page" which redirects to another page if set and "Logout to main" is 0.
See the attached patch (against git HEAD)
Does this make sense to you ?
Christof
PS: Many thanks for the autosave mode, I already used it ;-)
|
| Attachment 1: logout_to_page.patch
|
diff --git a/src/elogd.c b/src/elogd.c
index 601639c..0f976be 100755
--- a/src/elogd.c
+++ b/src/elogd.c
@@ -27975,6 +27975,11 @@ void interprete(char *lbook, char *path)
if (getcfg(lbs->name, "Logout to main", str, sizeof(str)) && atoi(str) == 1) {
sprintf(str, "../");
setparam("redir", str);
+ } else {
+ getcfg(lbs->name, "Logout to page", str, sizeof(str));
+ if (str[0]) {
+ setparam("redir", str);
+ }
}
set_sid_cookie(lbs, "", "");
sid_remove(getparam("sid"));
|
|
67881
|
Tue May 5 12:17:24 2015 |
 | Andreas Luedeke | andreas.luedeke@psi.ch | Bug report | Linux | 3.1.0 | Re: Problem with autosave functionality when combined with no 'edit' button | Oups, now I feel almost a little bit sorry for asking  But thank you anyway!!! 
You should see it that way: there are millions of possible applications for a smart electronic logbook like ELOG, and most possible combinations of flags and options will make sense for some of them 
| Stefan Ritt wrote: |
|
Arghhhh! Guess how many people asked me for the autosave feature! I worked really hard on it (including an airplane flight to Japan!), not the next guy comes "can we disable that feature?". 
I agree that this feature has many side effects, and I have to adress one by one, but in the end the community will benefit. Think of starting a draft at one computer, and finishing at another one. Lazarus won't help you there.
Nevertheless  , I added a "Save drafts" which you can set to zero. But I would rather prefer if people tell me their problems, and I fix them, instead of siletnly just disabling this feature and keeping the bugs there unresolved.
| Andreas Luedeke wrote: |
|
By the way Stefan: is there a way to disable the whole draft message feature?
If people are used to e.g. the lazarus addon for firefox, they might prefer their browser to keep their drafts confidential, instead of suffering from accidental premature draft postings ;-)
|
|
|
|
67880
|
Tue May 5 12:09:53 2015 |
 | Stefan Ritt | stefan.ritt@psi.ch | Bug report | Linux | 3.1.0 | Re: Problem with autosave functionality when combined with no 'edit' button | Arghhhh! Guess how many people asked me for the autosave feature! I worked really hard on it (including an airplane flight to Japan!), not the next guy comes "can we disable that feature?".
I agree that this feature has many side effects, and I have to adress one by one, but in the end the community will benefit. Think of starting a draft at one computer, and finishing at another one. Lazarus won't help you there.
Nevertheless , I added a "Save drafts" which you can set to zero. But I would rather prefer if people tell me their problems, and I fix them, instead of siletnly just disabling this feature and keeping the bugs there unresolved.
| Andreas Luedeke wrote: |
|
By the way Stefan: is there a way to disable the whole draft message feature?
If people are used to e.g. the lazarus addon for firefox, they might prefer their browser to keep their drafts confidential, instead of suffering from accidental premature draft postings ;-)
|
|
|
67879
|
Tue May 5 12:05:47 2015 |
| Stefan Ritt | stefan.ritt@psi.ch | Bug report | Linux | 3.1.0 | Re: Problem with autosave functionality when combined with no 'edit' button | I changed the code such that editing of draft messages is always possible, even if the "edit" command is not allowed otherwise. Update is in GIT. Please check if that works at ND280.
| Thomas Lindner wrote: |
|
We recently tried upgrading the ND280 elog instance to elog 3.1.0. [1] We seem to have some problems with this 'auto-save' functionality. Specifically, it doesn't seem to play nice with the fact that we prefer to disable user's ability to edit old messages. So we have (up to now), had the following set of commands specified in elogd.ccfg
Menu commands = List, New, Reply, Delete, Duplicate, Copy to, Move to, Find, Help
The problem is that we now get auto-saved messages, but no ability for the user to actually go back and finish the draft message. You can see an example of this state in this test elog
http://neut17.triumf.ca:8080/demo/
Clicking on the draft message you can see that it can't be editted. If you try to click 'new' then edit the draft, you get the message 'Error: Command "Edit" not allowed'. So we had zombie draft messages, until we added the edit command back; but that defeats our preference that users not mess up old messages.
In general this auto-saving seems like a useful feature. So the ideal solution for me would be to have some mode where users could edit/finish draft messages, but where we could still disable users from editting completed/finished messages. Ie, where we can omit 'Edit' from the menu command, but still get auto-save.
A less ideal, but perhaps simpler solution would be that if an elog has omitted 'Edit' from the menu commands, then this auto-save/save functionality is disabled so that we don't get uneditable draft messages.
[1] https://midas.psi.ch/elogs/Forum/67855
|
|
|
67878
|
Tue May 5 11:01:36 2015 |
| Andreas Luedeke | andreas.luedeke@psi.ch | Bug report | Linux | 3.1.0 | Re: Problem with autosave functionality when combined with no 'edit' button | Hi Thomas,
just my two cent: as a quick workaround (for now) you could restrict editing messages to a short time range, like 30 minutes. That would cover most cases of draft messages.
Restrict edit time = 0.5
But I agree that it probably makes no sense to limit the editing of draft messages: Stefan will probably fix this soon.
By the way Stefan: is there a way to disable the whole draft message feature?
If people are used to e.g. the lazarus addon for firefox, they might prefer their browser to keep their drafts confidential, instead of suffering from accidental premature draft postings ;-)
| Thomas Lindner wrote: |
|
We recently tried upgrading the ND280 elog instance to elog 3.1.0. [1] We seem to have some problems with this 'auto-save' functionality. Specifically, it doesn't seem to play nice with the fact that we prefer to disable user's ability to edit old messages. So we have (up to now), had the following set of commands specified in elogd.ccfg
Menu commands = List, New, Reply, Delete, Duplicate, Copy to, Move to, Find, Help
The problem is that we now get auto-saved messages, but no ability for the user to actually go back and finish the draft message. You can see an example of this state in this test elog
http://neut17.triumf.ca:8080/demo/
Clicking on the draft message you can see that it can't be editted. If you try to click 'new' then edit the draft, you get the message 'Error: Command "Edit" not allowed'. So we had zombie draft messages, until we added the edit command back; but that defeats our preference that users not mess up old messages.
In general this auto-saving seems like a useful feature. So the ideal solution for me would be to have some mode where users could edit/finish draft messages, but where we could still disable users from editting completed/finished messages. Ie, where we can omit 'Edit' from the menu command, but still get auto-save.
A less ideal, but perhaps simpler solution would be that if an elog has omitted 'Edit' from the menu commands, then this auto-save/save functionality is disabled so that we don't get uneditable draft messages.
[1] https://midas.psi.ch/elogs/Forum/67855
|
|
|