[Phplogcon-dev] release structure

Brian Shea bgshea at gmail.com
Wed Dec 7 16:52:32 CET 2005 

Completely agree to to sable and beta versions!!

1.2.1 Can be fixed easily for the % char, but the cookies will need much
more work. But if you tell people about the problem, then they can take the
proper precautions.

This can be found in auth.php for 1.2.4_bgs, it will handle all characters
that we might want to limit in the future.

// Check for special sql characters
function invalid_chars( $string )
{
    $bad_list = array("'",'"',"%"," ");

    foreach( $bad_list as $needle )
    {
        if( strpos( $string, $needle ) !== FALSE )
        {
            return TRUE;
        }
    }
    return FALSE;
}

Example how to use it
if( invalid_chars( $user ) || invalid_chars( $pass ) )
     {// BAD
        WriteHead('phpLogCon :: ' , _MSGAccDen, '', '', _MSGAccDen, 0);
        print '<br><b>..:: ' . _MSGNamInvChr . ' ::..</b><br>';
        echo '<br>..:: <a href="index.php">', _MSGBac2Ind, '</a> ::..';
        WriteFooter();
        exit;
    }
    else
    {    //GOOD
}


NOTE TO MYSELF: make gmail insert > for replies to messages.
On 12/7/05, Michael Meckelein <mmeckelein at hq.adiscon.com> wrote:
>
> > Anyhow, we should remember that the whole thing started when Brian
> > detected some security issues. The currently distributed source still
> > contains them. So I think it is definitely time to do something
> against
> > it.
>
> ACK.
>
> > I propose we do the following:
> >
> > #1 document that limitiations of the current "security model", which
> > most importantly means telling people very directly that these are
> > profiles and not actual security-safe accounts. Michael mentioned we
> had
> > such a document. If so, we should dig it out and publish it, if not,
> we
> > should create at least a small one ;)
>
> I didn't find such document. Probably it was discussed by email or chat.
> I know we have discussed, but obviously missed to document. We should
> immediately document that out. Beside to mention it in the manual,
> should we create a faq e.g. telling how to use .htaccess for example?
>
> >
> > #2 fix the most important things without major change (I think about
> the
> > % userid/password issue). My goal here would be to fix what can be
> done
> > very quickly and have a better version online.
>
> Timm, please take the current code from the cvs and merge Brian's bug
> fixes (http://www.hackthebox.org/) into it as soon as possible. Then we
> can make a release of this branch. Note that beside the security fixes
> this release will also include some minor fixes which already made and
> the Database options page Timm has implemented.
>
> > We could then also fork phplogcon into a stable and a development
> > branch, where stable just receives the most important things (but is
> > stable ;)) while development would be the (b)leading edge, at which
> > allmost all further work is conducted.
>
> Sounds good. It is the common way for open source development, isn't it?
>
> Michael
> _______________________________________________
> Phplogcon-dev mailing list
> http://lists.adiscon.net/mailman/listinfo/phplogcon-dev
>

More information about the Phplogcon-dev mailing list